Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Why Does Managing Compliance Suck for Applicants?

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this episode of Compliance Unfiltered, Adam takes the listener on deep dive down the rabbit hole of internal compliance management. If you are responsible for your organization’s compliance, then this episode is especially suited to your story.

If you’re an external assessor, have no fear, this will give you a solid understand of your client’s perspective, and whet your appetite for next week’s episode, wink-wink. Coordination, communication, storage and more all on this episode of Compliance Unfiltered.

Remember to follow us on LinkedIn and Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in another edition of Compliance Unfiltered. I’m Todd Coshow alongside the rain boots to your compliance muddy puddles. Mr. Adam Goslin, how the heck are you, sir? Long as they got flowers on them, we’re good. Darn right, as they should, as they should. Well, so today we’re going to talk about, well, how do we put this? We’re going to talk about how much managing compliance sucks for individual organizations.

So at a high level, Adam, tell me how things typically work for the poor soul that has to wrangle compliance for a given organization. Well, I mean, the listeners are going to very, very quickly realize the level of passion I have for this topic. And the reason is, quite honestly, is how TCT came about. I had to go through it myself, you know, kind of going from, huh, what’s PCI compliance, to sitting down with an assessor and having to struggle through, you know, all of the things. I then spent, you know, years in the trenches struggling with helping companies navigate these waters. getting through various compliance standards. So, you know, for the typical poor soul that has to wrangle compliance that I often love to refer to as the eye of the compliance hurricane, you know, the reality is that it’s an unenviable position. You know, there’s a lot of things at play. You know, for, man, this all depends on the organization itself. In some cases, the organization where their headspace is at is enough clients have griped about, you know, you need to get compliant with fill-in-the-blank that, oh, gosh, I guess we’re gonna go ahead and detract from our day by day and go do this, you know, security and compliance thing, you know, type of thing for a lot of organizations. It actually astounds me as a business owner, but a lot of them are in that boat. You know, some of them are in an arena where, you know, they’ve seen it coming, etc. They, you know, they’re doing the dance, but, you know, not taking it particularly seriously. And blessedly, there are some organizations which take it very seriously. So, you know, the reality is, is there’s kind of a lot of forces at work. And usually the way it works is somebody gets basically, I don’t know if it was like the last person to sit down when the music stops, everybody pointed right. And you happen to be at the right end of the line, you know, something, but somebody gets nominated to go get compliant. And that poor person is basically kind of left to their own devices to go and get things figured out. And invariably, most people, human nature is to use things, tools that you’ve got at your disposal. And so therein begins the, you know, managing your compliance with an F-ing spreadsheet. And yeah, let the shit show in sue, shall we say. You know, they’re just, they’re trying to, they’re trying to figure it out. You know what I mean? And it’s a mess.

Well, what are some of the coordination challenges that companies face? Well, if you think about it, you know, for most organizations, you know, we’re not talking about, you know, you know, kind of the garage band company, right? We’re talking about an organization that’s been around for a little bit. They’ve got, you know, whatever. Let’s call it for the sake of this discussion, you know, kind of north of 20 to 40 people type of thing. You know, you’ve got coordination that needs to happen across, you know, multiple departments. You know, whenever you do, like, so something like PCI is an example that kind of cuts across the organization. You know, you’re talking about, you know, the people that do day by day support for workstations. You’re talking about… Potentially developers you’re talking about network administrators, you know, and that’s just in the gearhead arena You know, you’re talking about various members of leadership. You’re talking about HR departments, legal departments, the accounting department, you know, and, so it’s, it’s there’s multitudes of different groups from disparate, you know kind of silos within the organization it’s very possible that these people are you know at bare minimum typically sprinkled over multiple locations whether it’s the people that work in the office, and then there’s all the people that work remotely or you know, you’ve got you know, you have to be an organization that has two, three, four, five, eight and twelve more locations You know type of thing you’ve got departments that where you know, they have different, you know different driving forces internally, you know, so things that are important to you know important to the sales department as an example are not nearly the same priorities as your project management department or your or your IT department, you know type of thing. So, you know, you’ve got competing, you know competing drivers oftentimes competing objectives and goals for the various departments within the organization and, and somehow the, the poor person that was the last one to sit when the music stopped gets the sheer unadulterated joy of having to sit and go through and now coordinate a company-wide extravaganza, you know across, you know all of these various people not only that you’ve got you’ve got multiple vendors that are in the mix, you know, maybe as an organization I’ve got a whole year one or more hosting companies. I’ve got maybe outsourced IT. I’ve got You know other vendors that are providing, you know this service that service the other, you know And so you kind of couple all of these, you know multitudes of intersections just within your own company and now I’ve got to go ahead and layer over. Let’s say PCI, you know, we use that as an example you’re talking about hundreds, hundreds of line items of stuff that needs to get collected, done, validated blah, blah, blah. And so I’ve got these hundreds of requirements across you know n number of people internally with everything, you know trying to flow you know north and south if you will through the workflow So and that depends on the you know, kind of on the you know, on the company, you know. One organization is just kind of doing a doing a self attestation. So it’s just them and their and their group, maybe their workflow is frontliners provisioning evidence flows to some type of an internal QA process flows to complete, you know, some organizations will have some type of a external consultant that assists them with their security and compliance needs. Some organizations have to go through third party audits, in some cases, just depending on how those audits came together. The organization does these two audits with this assessor, you know, the these, you know, this other one with this one assessor and then these other two with this third assessor type of thing. So you and across that you have like evidence that needs to be leveraged across different standards, they’ve got, etc. I mean, it can get astronomically painful when you’re when you’re on these engagements.

Sounds that way. What are some of the communication challenges in the extravaganza of that nature? Well, this is just me playing scenario games, right? And I’ll give you a wide variety of different things that will kind of happen, you know, when you’re when you’re on these engagements. And, so invariably, you kind of, the organization has decided we’re going to go get fill in the blank complaint. And of course, the, you know, the, the uppity ups want to know where we are, you know, and so sure enough, one of the, one of the uppity ups comes strolling by the poor soul that was last to sit with the music stop. And they go, hey, where are we at? And they’re like, I’ll let you know, I’ll send you an email later on today, you know, type of thing. And meanwhile, and so this person walks away from, you know, the poor person’s desk or whatever. You know or just whips what they think is a quick email you know type of thing and what they don’t realize is that that poor soul has to you know, basically spend the next whatever hours Just trying to figure out what things have I gotten, are they any good, have I passed them up to our you know consultant or assessor? did they reject anything back down blah, blah, blah it’s a you know you’ve got things like you know the making assignments to people on the team we talked about all these, you know various people you need to collect evidence from, from various departments and things along those lines. You know just even figuring out who is it that we need to you know assign these items to you know, is it Bob is it Mary is it Brett you know, whatever? You know trying to figure out, you know, you know those assignments telling people that they actually have stuff that you need you know invariably the second that you go and send out the assignments, right? The second you do it, it’s already out of date, you know I could send the emails out to everybody at noon today and by 1 o’clock like eight people on my list have now seen oh crap I totally forgot that I needed to send this thing in, you know, blah, blah and they’re starting to whip their evidence you know, etc. Um, you know in that type of thing you know, people on the team you know, you sure you sent them an email Monday, but 18,000 things changed between Monday and Wednesday and now you know, you’ve got to bump into Mary in the in the hallway. Hey Mary, did you get me that stuff? I sent you the email on Monday or whatever. Yeah, you know what? I think I might have accidentally deleted it What do I have again, you know type of thing this happens all the time. I know the funniest part is I know that the people that are listening to this are at it that have lived this hell They’re all chuckling right now Because they’ve lived this shit, you know, you know, what it’s just it is it’s a nightmare you know trying to you know trying to do this, you know, you’ve got, you’ve got status meetings. You’ve got to get prep for you’ve got the flybys from the uppity ups. You’ve got You know, you got vendors. They’re supposed to give you stuff and they sent something. Oh, yeah I remember they sent me something, you know, uh, you know late last week but I haven’t looked at it yet you need this for the next meeting right the minute you open and you open it up and you look at it of course, it’s garbage, you know, they sent you the wrong thing or somebody attached the wrong file Oh, yeah, I know you meant to send me your you know kind of your, your SOC report or I don’t know you meant to send me your AOC, but you sent me the one from last year honey. this year’s, you know type of thing and it’s just it’s all of this just Amazingly dumb things that poor soul has to you know has to go ahead and juggle. It’s just it’s a nightmare For sure for sure.

Now changing gears just a little bit. Yeah, talk to me more about some of the storage challenges, well going back to what we were talking about earlier, right? You’ve got the human nature to you know just want to go plug the hole with a tool. I know aka excel uh, you know, and so you know sure the eye of the hurricane has their excel sheet where everything’s at and they’re manually getting, you know, getting these to me. Oh, we were talking about communication sorry, I got it. I got I got to tell you this one other thing about the communication and that’s the um the various modes and methods Um, you know that people are sending you stuff. So as an example, um, you know, I could set up this amazing pristine structured series of folders and put your stuff by requirement, you know, whatever I’ve got and hundreds of requirements and I yep I spent the time to sit there and create sub folders for every single freaking requirement known to man And everybody knows that you’re supposed to store your stuff there, right? Well the minute that comes out of your mouth and you go tell people that they got stuff and then you send them an email With hey, I need your stuff. Well, what do they start doing? Well, one person goes ahead and immediately responds to your email attaching amazingly sensitive data straight into the email, another person who sees the email while they’re stuck in a traffic jam, you know, while their buddy’s driving, you know, sends you a text message, hey, by the way, all you need to do is go to da-da-da-da-da-da, and you can go ahead and grab this piece of evidence, you know, hugs and kisses, bury, you know. You know, you got, you’re walking down the hallway to a meeting and somebody stops you and says, oh, seeing you reminded me, you know, can you do da-da-da-da-da or, you know, my stuff’s sitting over here, whatever. You create this pristine storage location and all of a sudden people are dropping it onto whatever they have, they didn’t remember what this amazing place that you made for putting all of the stuff, they didn’t remember where it was. So instead what they do is they go ahead and drop it out onto their SharePoint site on some folder that they got access to and they send you a link to that, you know, type of thing. Dude, it is absolutely ridiculous how many ways that these poor people, you know, end up getting all of these inputs.

So you know, just number one, the sheer act alone of sitting down and creating this storage structure, this amazing place, you know, that everything lives, doing that in and of itself is a ginormous pain in the ass. And then you’ve got, you know, all of these communication streams coming in where people are basically sprinkling and spreading your security and compliance data all over the place. And so, you know, it’s just, it is an absolute nightmare and the person that has to wrangle all of this stuff spends a lot of their time just trying to go in, read this email, read this text, writing sticky notes to themselves because Mary caught me in the hallway or whatever, you know. And it’s just an absolute f-ing nightmare trying to get all of this stuff together, trying to get it all into the same spot. The eye of the hurricane basically spends their time duplicating stuff off of wherever the hell it got dumped and bringing it into the central storage location just so that they can go in and take a look at it, evaluate it, and if it’s not good, ah, sigh, now I need to go ahead and tell whoever it was the nice try, now I need to communicate to them. Well, this is what’s wrong with it, and blah, blah, blah, can you please send me an updated version of this? To which, of course, do they go put it into your pristine storage location? Oh, hell no. Instead, they go and send you an email. It’s like, oh my God. You know, you just wanna literally just start pounding your head on the desk repetitively. It’s uh, yeah, it’s, it’s quite the pain in the ass.

It certainly sounds that way now I’m an efficiency dork ,and you know that, where is the most time wasted? like, you know people, hours, hours per year like where, where are the efficiency opportunities? Well, and this is going to be a generic This is going to be kind of a generic overview and for the listener if you go out to the TCT website and you go to the resources and you go under there’s a section called ROI calculator, so if you go in there, we have we do have a handy dandy tool. You can start plugging numbers into etc Um, you know the, the reality is that there are several arenas That that kind of come into play. So we and we’ve talked about uh some of these. So you figure that you’ve got um you’ve got weekly status meetings that that you need to get prepared for um, you know so you’ve got you’ve got those that type of work that comes into play you’ve got uh, you know weekly meeting time so whenever you do one of these engagements you’re constantly having to get back together with the internal crew You definitely don’t want to have that conversation in front of your assessor uh type of thing. So just Kind of like a safe forum for the internal folks to just say whatever is going to come out of their mouth, not in front of the assessor, uh, you know type of deal. So you have weekly internal meetings uh, you know type of deal. Um You’ve got um, you know the generation of, of this kind of pristine place you want to go store all your stuff um, but you got time spent in getting that in place. You’ve got um, you know that you got to communicate process and procedure to the team about how we’re going to go in and do things etc Um, you know that needs to be done certainly one of the biggest, you know, uh, you know elements is collecting up and tracking all of the evidence that the team is generating and, you know, and, you know, and whose hands is it in, was it submitted, you know, etc. I can’t tell you how many times I went in to go check on somebody’s stuff. And I basically, I sent, you send them an email, hey, Frank, you know, you had three things that you needed to submit, I only see one of them in, you know, type of deal, you know, where, when are you going to get me your last two? And sure enough, you know, sure enough, Frank responds, I sent you those in an email last week. Really? Well, did you, did you send it? I mean, did you send it to me in it with a subject line that said evidence for blah, blah, blah? Of course he didn’t because Frank responded to the, you know, weekly potluck thing and just forwarded that to you and put his comments about his good security and compliance stuff underneath that email moniker. So you’d never find it. Yeah. Can you tell I’ve lived this? You know, you’ve got things like organizing of all of the evidence, you know, and getting it all consolidated. You’ve got time that you need to spend with your consultants or assessors, etc, just talking with them about where are we at and what’s going on. Them even communicating rejections and, you know, rejection notifications and contacts, etc, you know, and whatnot. You know, once you get through, once you got to get through your year one, you know, then you’ve got the same type of wastes of time, you know, coming around in year two. Plus, you get the added bonus when you get to your, you know, kind of your second year of running this gauntlet, if you will. Then you’ve got kind of the cleanup on aisle five that happens on damn near every engagement that I’ve ever seen.

It’s such a mad scramble as you’re kind of heading into the end of the year that people start to abandon, like willingly abandon the all process procedure, whatever it may be. They’re just like, get her done. You’re just trying to navigate the waters and blah. Well, what that means is once all of the dust settles and the assessor finally tells you, yep, you’re all done. I’ve got everything that I need. I just need to go put my head down and write my report. Well, the internal company that’s going through compliance, they’ve got to go back and if they want to have everything, you know, kind of cleaned up, you know, blah, well, now they got to go spend time on that. So, you know, even for a small, I ran some numbers and one thing that I’ll say to the listeners is, you know, the ROI calculator that we’ve got out there just basically has you know dump buckets for how much time you spend on this each year but you got to think it through right it’s, it’s um you know for one-time tasks you know okay great take your stab at how many people are going to be involved in it total hours blah, blah, blah, but we’re talking about things like the weekly meetings you know how many people on average show up to a meeting? How many weeks are you going to be doing these meetings? Over how long are these meetings gonna be? You know that type of thing, and you know you’d be surprised I mean you know for a typical uh for typical engagement you can probably count on a good excuse me, probably count on a good uh probably 20 weeks of, of total time for you know for information data collection clean up you know post assessor da, da, da you’re gonna have a ton of weeks of meetings that are that are kind of coming into play You know, so don’t forget to kind of do that math, right? How many people, how many weeks, how many hours per week per task, you know, etc you can actually get real numbers into, you know, into here. Like I went and I ran a scenario game with, I’m going to call it a smaller organization where I’ve got six people giving me evidence. I’ve got one poor soul that’s the eye of the hurricane, three people that show up to weekly meetings and a couple that have to be involved with, you know, triage cleanup and assessor discussions and at that, that’s a, that’s a, and that’s like on one cert, you know, you’re talking about close to a thousand hours, you know, a year type of thing is kind of put into that and for, you know, for a lot of the uppity ups, they don’t, they don’t really, it’s not visible to them. Just what the hell is actually happening, uh, you know, on these engagements. Uh, it’s, uh, it’s pretty astounding.

Well, how can we help companies not do the same thing repeatedly and hoping for different results? Right? Like we’re not insane folks. How do we help other people? I was just about to say, that’s the definition of what, um, so the bottom line, not, not any shocker, but use it, please, for the love of all that’s holy and true, use a compliance management system. Um, you know, uh, we wrote this thing for a freaking reason. We’ve been through the pain. We’ve been through the pain ourselves. We’ve been through the pain of watching companies go through it. Um, you know, we built this thing for a reason, uh, you know, the bottom line is, is that, and this won’t surprise anybody, but, uh, guess what TCT uses for its own compliance? You betcha we’re using the TCT portal, which is the same system that we recommend, recommend to others to leverage, to track and manage their compliance, is the same one all of our stuff goes into. We’re putting our data where we tell people to put their type of thing. Putting your data where your mouth is, is interesting. Yeah, exactly. Well, and that’s something that I just, I love pointing that out to organizations that we talk to when they’re basically trying to articulate just how many dimensions of hell they’re going through with trying to keep track of all their stuff. And I tell them, look, I’m a business owner too, and you can absolutely bet that we’re using the freaking tool to manage compliance because it is such a huge saver. So, we were talking about you know, we were talking about, a smaller style engagement, it being close to a thousand hours. I mean, the reality is that when you, when you’re on an engagement like that, you can literally split in more than half, you can split that amount of time. So in this tiny use case, you know, with a very small organization, you know, we proved out that you can, you can clear, you know, a thousand hours, you know, you’re going to be under 500 for, you know, for when you go through and do it as a, you know, as a smaller scale organization, you’re literally going to cut your time in half. You know, and you figure, well, I mean, you figure at that rate, I threw in there an average hourly salary of the people on the team of 40 bucks, which I think that’d be a pretty decent, a pretty decent guess might be a little low based on the fact that I’m going to have a number of kind of high priced gear heads in the max and, you know, and whatnot. Yeah, I might get away with a couple of, a couple of people that aren’t quite making, making that much, but that’s pretty good average. And even in this tiny example, at 40 bucks an hour, the organization effectively saves themselves three times the cost of the portal, just in terms of, just in terms of the labor hour, let alone, you know, people that are, you know, have this strong desire to whip themselves out of a window over it, you know, it’s, it’s going to save sanity, it’s going to save precious brain cells. It’s going to cut down on the amount of pain and time and all that fun stuff, you know, etc. It’s just, it’s the tool itself automates a lot of the things that cause pain.

So going back to that example, we were talking about, about a little bit ago of what are the types of things where you’re wasting time. Well, going back through that list, preparation for status meetings, I used to spend literally hours before each status meeting, trying to figure out where everything was and blah, blah, and updating my Excel spreadsheet and da, da, da, da. Guess what? The TCT portal, everything is live. You’re not spending that time. You know, my weekly, my weekly meeting, like today, I can literally walk into a status meeting and glancing at the dashboard a minute before I go walk in. And I’ve got enough to go be dangerous and just dive straight headfirst into the meeting. You know, I’m not spending hours of prep. The weekly meetings, you know, where you would spend an hour before, guess what? Those weekly meetings are at least split in half. For some organizations, they literally schedule these meetings for two hours. You know, I’ve warned most organizations could probably clear an efficient status meeting in about 30 minutes with the, you know, with using the system. They don’t, that organization doesn’t need to create a storage system because it comes as part of TCT portal. They don’t need to create a process for, you know, manual process of all this internal documentation, etc, for doing their collection and tracking and, you know, blood of evidence because they’re using a system. There’s, they’re still going to need to go through and collect evidence, but the collection of, the collection of that evidence and tracking of it, that is, is made more optimal by leveraging, you know, leveraging a system that you basically tell everybody to go in and use, you know, as you know, you talk about organizing the evidence, time discussing statuses with the auditor, you know, etc. All of these things, they go away because you’re using automation to solve the freaking problem, you know? So it’s just, dude, it’s honestly, and this is the part that the uppity ups don’t get. They really don’t understand just how much pain is involved with this space. They were- No, no, because they haven’t done it. Yeah, they did. Well, they, because they just get to breeze by, you know, so-and-so’s desk and ask them what’s the status, you know, or whip them an email or whatever it may be, or tell them, hey, I want your status report on my desk on Wednesdays at four o’clock, you know, whatever, and not realizing that it’s literally hours of work just to get to the freaking answer. And the saddest part about that is, by the time that I finish making a status report, actually, by the time that I’m 15 to 30 minutes into making the, you know, creating the information I need to create the status report, it’s already out of date. So it’s just, it’s, dude, it’s, it’s tough. It’s, it’s really, really tough. And I, I really wish that leadership, layers of middle management, etc. I really, really, really, really wish that their light bulbs would start going on with just what an absolute sheer waste of time and money it is to, to do it the way that they’ve, that they’ve been doing it. They look at it as if it saves them. Oh, well, we’re using a tool. It doesn’t cost us anything. Are you kidding me? You could, you could literally, you could literally free up, but you know, on a small engagement, I could free up 500 hours of the people on my team. How is it? Go talk to your CFO. your CFO. Would they love to be able to not hire another body because everybody’s freaking out and stressed and blah, blah, blah. I’m pretty sure that they would. So, you know, oh my gosh.

Yeah. It’s just, it’s, it’s amazingly frustrating that, that the light bulbs don’t go on at those upper levels, but the best advice that I can give any organization that is still using any form of a we built it ourselves system for managing their compliance. Please do me a favor and go talk to these people and interview them and find out how much time it takes them to do this and this and that. And the other thing and how much sheer volume and time they’re wasting because a lot of it is happening behind the scenes and it’s not visible.

Well, it’s a good point. What are some of the other ways that TCT has the capability to help people within the compliance space? Well, I mean, we’ve been at this for a week or three. You know, we built, here’s the important part that I want to underscore. We built the tool with a purpose. If you, if you already have a team and they’re all over it, they just need a better way to go about doing it. Great. Please, please save yourself. Use the TCT portal and you can use it all alone, right? But I’ve been, I’ve been out in the space etc. Doing things for a long time and you got to remember that a lot of our, you know, best, best clients are actually assessment firms that leverage our tool as their tool for managing all of their compliance engagements for their clients. And so, you know, I kind of wave the flag to, you know, the partners that we’ve got, the clients that we’ve got, they already know this, but, you know, TCT isn’t the organization to step on toes and blah, blah, blah. So to that end, I’ve been out in the space doing security compliance, and consulting, we do help a handful of organizations with that still. We actually have a lot of very, very amazing, awesome people that will refer or recommend to their friends to come have a conversation and TCT can help in that arena.

So we’ve got a consulting practice where we can help organizations get from what I experienced back in the day, huh, what’s compliant, you know, what’s PCI compliance, you know, all the way through, getting compliant with fill in the blank, through ongoing care feeding management maintenance of their compliance track with a, I’m not gonna bore the listeners to tears, but we have a whole battalion of things that we can bring to the table where we can help and you know, not the least of which is, you know, we’ve been out in this space for, you know, for well north of a decade. And, you know, and we know people. We know people out there that are good to deal with. We also know some people, I’m not gonna name names. But we also- We know those folks too. We also know some people that are not so cool to deal with. So, you know, we can, you know, a lot of times clients will come to us and just say, hey, I need fill in the blank. You got anybody that you can, you know, that you can recommend, etc. We’re usually, we’re able to give, you know, give good recommendations. The one thing that I’ve said to everybody so far, I won’t stop saying it, you know, is that TCT as an organization, we didn’t want to, we didn’t want people wondering, oh, is he recommending that? Because, you know, they’re giving him the biggest kickback. TCT straight across the board, we don’t accept referral fees, spiffs, anything along those lines from anybody that we recommend. Our interest is in helping people in the compliance space. So, you know, just rest assured, if we’re giving you a recommendation, that’s really what we think. You can take the recommendation, you can leave the recommendation, that’s your call. But most of the people that know us, they take our recommendations.

You know, the other side where we’ve got the capability to help organizations, and this typically comes in in the consulting space, but we’ve done some, you know, outside of that as well. I don’t even think we’ve got this on the website, to be honest with you. Again, this is just word of mouth, but we’ll do penetration testing for organizations, external, internal, net layer, app layer, web services, wireless systems, mobile applications, we can do it all. So, yeah, we do a fair number of those types of engagements as well.

Parting shots and thoughts for the folks this week? kind of. Well, this has been one, yeah, I warned you, dude. I got fired up about this stuff. So, yeah, this is probably one of my longest pods ever. But, you know, the important part for organizations, you know, for organizations that are going through it, you know, is to get the company to change their mindset. You need them to, in some way, shape or form, be able to see value in the overall program. You know, too many organizations see their security and compliance efforts as a distraction from their real work. And the way that I’ve always looked at security and compliance, especially as a leader of an organization, you know, as a member of leadership, it’s my responsibility to protect the people that work for this company. It’s my responsibility to protect the clients that depend on this company. You know, I look at the efforts we put into security and compliance. They are better. far better than the dollars I whizz down the drain paying for cyber liability insurance. These are real things that really make a marked difference in the security capability, status, protection of the organization. And that’s the way that I look at it. More companies need to get those light bulbs to go on because I’ve seen too many CFOs that will just outright poo ,poo the amount, oh my gosh, we’re spending too much money on this. Guess what? You wanna go have some fun, go look up the Ponemon Institute in their annual cost of a data breach and figure out how many records you’ve got and do the math. The bottom line is that you should, that same person would absolutely lose their mind if they knew how much risk they had for the amount of data that they’ve got. And this is an absolute drop in the bucket. We need the organization to see the light, not just the poor soul that was the last one to sit when the music stopped. So we actually created an eBook. If you go to the website, go to resources, go to compliance guides, and then you’ll see one in there how to make the business case for a compliance management system.
Kind of trying to help the eyes of the hurricane figure out how the hell do I go talk to my boss, and get them to see the light and see the value in what I would love to have and why it makes sense. That’s an eBook that we put together just to help people, because our entire world revolves around helping people make compliance management suck less.

No doubt. That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.

KEEP READING...

You may also like