Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How to Do More with Your Limited Security Resources
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd take the time to delve into the perfect topic for January: How to do more with less. In this case it’s how to do more with your limited security resources.
Sure everyone is doing all they can, but where are the opportunities for improved efficiency? Wondering how bad assumptions are slowing your team down? Curious how you and your organization can supercharge your security efforts?
Catch all these answers, and more, on this episode of Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Garland to your compliance Christmas. Mr. Adam Goslin, how the heck are you, sir? I’m doing good, Todd. How about yourself? I can’t complain. All things considered, I really can’t. Now, today, we’re going to talk about something that, well, is near and dear to a lot of folks who are in this particular space.
First off, I will apologize in advance if any of my sarcasm drips on you through the microphone, but word has it, Adam, that people in the security and compliance space are plentiful, and the majority are just sitting around wondering what to do with themselves. Tell us more. Yeah, I just got nailed with a gigantic glob of sarcasm there, so thanks for that. The reality is that security people, security and compliance people, regardless of their level of capability, are in very short supply. The folks that are in the security and compliance space that actually know what they’re doing, I’m drawing the line of distinction between the folks that are dipping their toe in the water that claim that they’ve got this breadth of experience that don’t, etc.
The subset of the continuum, of the people in the security and compliance space that actually know what they’re doing, they’re in even more of a short supply. So the topic of today, being how to do more with your limited security resources, certainly is a topic that I think a lot of folks are going to be able to relate to, shall we say.
No doubt. Now, you talk a lot about the largest bad assumption that companies can make. Let’s revisit that. Well, there’s organizations out there and this is something that I, actually something I learned firsthand because the very first time that I needed to go through security and compliance, it was as a leader, as an IT leader, and experienced IT leader you know now getting faced with hey we’re gonna need to go through the security compliance thing and sure enough my boss made the assumption oh well you know you, you can spell IT so you must know how to do all of this stuff right? and meanwhile that assumption couldn’t have been further from the truth. I’ve lived it firsthand you know I’m not, I don’t feel like I’m talking out of school or you know saying something I don’t know what I’m talking about, I’ve lived this you know having my boss make this bad assumption that because I can spell IT I can you know just magically know everything about security and compliance, and it’s just not true you know. By the time I got through my first engagement it was really eye-opening for me and honestly was the reason that I walked away from working for somebody else and started you know creating security and compliance companies to go help people not have to go through the same misery that I went through you know, with my first trip. But you know there’s a lot of organizations they think because they have IT people because they have a day-by-day IT service provider that these folks know what they’re doing when it comes to security and compliance, and you know by and large that’s really not the case. Now they might tell you oh no boss were all over it, white on rice you know hey you know this is great I got this you know and meanwhile they’re over googling their asses off and trying to figure out what things mean, and, and, and. Or they just don’t have the contextual experience you know it’s just dangerous for a lot of organizations you know. There’s also a number you know a number of organizations I’ve run into over the years you know they’re under this misnomer that well we’ve got you know we have a secure compliant hosting you know solution that we leverage so because our stuff is this there, poof, we’re golden, you know? And that’s not the case either. So, you know, we’ve done several topics on, you know, related to these particular topics, so listeners can go and hunt down those, you know, those particular pods, but, you know, just because I have it at a secure compliant hosting facility, you know, regardless of their capability, it’s not until you go in and look at the, the responsibility matrix, you know, that organizations really understand, you know, and despite the kind of sugarplum visions of leadership at a lot of organizations, you know, they generally do not have the quality, security, and compliance people at their disposal. You know, these organizations, they need to wake up and they need to go under, you know, the assumption that they don’t have these people because otherwise they’re just setting themselves up for, you know, what becomes an amazingly risky approach to their overall responsibility of trying to, you know, who are attempting to protect the organization. I know their heart’s in the right spot, but, you know, they need to get their head out of their proverbial. You’re on mute, by the way.
So at a fundamental level, what are some of the things that organizations can do to otherwise remove their heads and free up their security and compliance resources? Well, at a high level, I would recommend starting with, just go figure out what are these people, what are they doing? You know, in a lot of organizations, the person that got nominated to be in that kind of security and compliance, you know, arena, it may be, it may very well be an inherited responsibility. It’s, yeah, can you do this on top of what you were already doing, etc. So, you know, really going through your security compliance resources, what are their current assignments? Talk it through with them. What are they actually doing, you know, day by day, week by week? What are things that they do periodically? You know, you don’t lose sight of that. You know, what are things that they have to do once a week or once a month, once a quarter, whatever it may be. And, you know, a lot of organizations, honestly, are probably gonna be shocked at the day by day duties that these people, you know, either are doing, or have picked up over time, or that they never got the opportunity to transition to because nobody was identified to go take this thing over, so they’re just still doing it you know type of a deal. In a lot of organizations I’ve seen this more times than I can count right, they pull out their magical wand of you know they’re gonna baton wave and ding you know so-and-so on the forehead nominate them in charge of security and compliance and they they’re like just go transition all your stuff and you know and so they say it and then they walk away you know did things actually get transitioned well we had you know, these eight things that we needed to offload, they went over to, you know, so-and-so, but now so-and-so’s not there, and half of it came back, and there’s all sorts of things that happen, you know, when you’re trying to navigate, you know, gotta navigate day-by-day waters.
So, you know, they’re probably gonna be surprised. You know, it very well, this resource, the security and compliance resource, it’s also one that could legitimately leverage some type of a, we’ll call it, I’m gonna call it some type of a quality assistant to partner with them. Now, is that assistant, junior security compliance assistant, maybe? Could it be something literally as simple as an administrative assistant, you know, that can just, you know, take things off their plate that they don’t need to be worrying about, so they can just focus on what their real core, you know, capabilities are. You know, that may be another way to go about, you know, freeing up their time, but, you know, kind of analysis of what they’re doing right now, analysis of ways that you can help them, you know, start with those, and just, you know, take a shot at just trying to frickin’ free these poor people up, you know, that would be where I would start.
Sure, so once you’ve done that, what are some of the additional ways to optimize the very valuable time of the security and compliance people for an organization? Well, we are within a month of it being a decade ago that I literally built the tool that I desperately wished that I had when I started into the security and compliance space, and that’s a tool that we have aptly named the TCT Portal. It’s a tool that’s built specifically, built for people that are undergoing various industry standard compliance engagements. I would definitely, as a general notion, recommend integration of technology to assist with mitigating the most mind-numbing, waste of time that are on a security and compliance engagement. I’ll just give a couple of examples here. You’ve got things like, who has what? Who’s been assigned to what? Did they do what they were supposed to do? Are they completed with it? Have they moved it to the next person in the workflow? They were supposed to get these five things done last week, you know, where they at, you know, etc. You just… basic block tackling, etc, cat herding that happens on these compliance engagements. It’s stuff like that reminding people what they have, giving them a place they can all go just to see what’s on their plate and so they can go and start executing against it. There are a lot of things in the technology for security and compliance these days, which will greatly help to bolster, streamline and cut out a lot of just absolute waste of time.
For the first five years that we had TCT Portal up and running, really we’re almost like pioneers in this arena, but the landscape’s been changing rapidly over the last three years or so and at this point in the game there’s a lot of options for organizations that face the challenges of trying to navigate their way through security and compliance engagements. That said, from the start we still do it today, we deliberately price the TCT Portal so that organizations that are using it would actually save time and thereby money through the use of the system. So the play for TCT Portal is literally, it is priced so cost-effectively that with the savings of time, etc, and the value of that savings, that the Portal will actually pay for itself. I can’t say the same for all the technology players up there in the compliance and security space, but some obvious statement, I’ve got a certain preference, if you will, for this solution.
Sure, now the use of technology will help in general, but are there additional lifts that the organization feels in subsequent years? And I can just hear the folks, the listeners chackling, as you think about things like the rock solid repository of your security and compliance evidence. You know, in most organizations, I’ve gone into this in depth before, but it’s some hodgepodge of Excel sheets, or SharePoint sites, or drop zones, network drop zones, you know, you’re getting evidence coming at you from 12 different submission channels, you know, type of a deal. It’s just a fricking train wreck. And so, you know, now you move into this space of where I’m enforcing the leveraging of technology to run my engagement. You know, now you have benefits. You’ve got benefits of just a rock solid repository of all of your evidence, knowing who did what. when did they do it, what evidence did they attach the last time around, etc. These are all like monstrously helpful as you get into year two and year three and you know, things along those lines. The ability to be on a line item, like one of the common things that I would hear over the years before I said about, you know, trying to build the TCT Portal, you know, common, literally common question from damn near everybody was, well, what did I give you last year? Well, now I don’t have to answer that question for you. You can just go in and hit a button, look at what you provided to me last year, etc, and you’re off and running. You know, you’re not dropping or blowing time between compliance, you know, status meetings, etc. I’m not spending, you know, two to four hours per compliance meeting, just trying to figure out where’s everything at. Instead, I jump in five minutes before the frickin’ meeting and I’m ready to rock, you know. I know exactly where things are at. It’s beautiful, you know. And so, you know, having as well, a system with a capability to allow the organization to readily recover from loss of personnel on your engagement, that’s a huge plus because I’ve got everything in one spot. You know, if I’m in the middle, if I’m mid-flight on an engagement, all of a sudden, you know, Bob gets hit by a bus and now I’ve gotta go and- Poor Bob. Yeah, exactly. I gotta hand everything over to Mary. You know, then I can do that. I can do it easily, you know. I know what things Bob had done. I know what things Bob’s still working on. I can automatically shift everything into Mary’s hands, etc. What more often happens than not is that I wrap up my compliance run for this year. And between now and- And when we start back up again next year, something changes, you know? Bob gets transferred to another department. Bob, you know, Bob actually gets hit by a bus. Speaking of which, I finally, after years and years and years of using that expression of hit by a bus, I actually personally know a dude that actually got hit by a bus. It was, for him, it was a bad day for me. He was fine, by the way. But for me, I’m like, man, I finally know somebody that was actually hit by a bus. This is awesome. But yeah, he hears about it every now and then.
So, you know, but something happens between last year and this year, you could change over one, two, eight people on, you know, that were supplying evidence, you know, between the track runs. It is a happy nightmare, especially when you’re the poor soul that has to do all the coordination, orchestration, etc. You know, now I got to go in, I got to retrain, I just spent, you know, multiple years training Bob and now I got to go in and train a new set of newbies, you know, etc. on, you know, answering all the same questions. Oh my God, it’s absolutely effing huge having, having all this stuff literally at your fingertips. So the use of technology will free up time for an organization only going after a single compliance standard or certification.
But how does technology assistance help organizations that have more complicated circumstances? Well, I mean, just a couple of different examples, you know, different things that would otherwise complicate, you know, compliance for an organization. So, you know, you got an organization that has to go up against multiple standards of certification. So, you know, I need to be compliant with, you know, PCI and we want to do HIPAA or need to be completely compliant with ISO 27001 and I want to do PCI, whatever the case may be. And in some cases, I mean, we’ve got organizations, you know, on the platform that literally are going up against four, five, six different certifications simultaneously. You know, one of the biggest benefits is the capability to coordinate the sharing of evidence across your various, you know, various target tracks to consolidate that collection of evidence. So it’s a, you know, it’s a collect once, use many, you know, style of approach that bears freaking huge dividends when it comes to being able to run these engagements, because now I’m not having to duplicate and copy evidence within a single certification, let alone copying it between various different tracks. Oftentimes, we used to have them back in the day, I’d kinda go through the most prescriptive of them, and then I’d spend a whole boat ton of time just duplicating, copying, copying and pasting, evidence between the various manual run tracks. Now, I can just go and whatever, the network diagram. I can go and collect my network diagram once, and then I can go ahead and map that off to my PCI, and my HIPAA, and my ISO, n, n, n, n, n. So the ability to configure and share evidence, that part’s frickin’ huge. You know, another element that really helps when you’re leveraging technology to free up your resources and make this a little bit more of a sane adventure, you know, is when you’ve got multiple parties in your workflow. So for an organization that may be, you know, we’ll call it the smallest, you know, spectrum of this end-to-end compliance, it may very well be there, self-certifying, and it’s only their resources, right? Like even in that case, you’re going to save a whole ton of brain cells.
But when you’ve got a circumstance where it’s my organization and all the people that are supplying the evidence and now I need to float over to an assessor, you know, that’s one level of complication. Whenever you have an assessor, then you’ve got their QA involved, you know, etc. But you may have, and many organizations do, they’ve got their evidence gatherer flows over to some type of internal QA, flows over to a security compliance consultant, then flows over to their assessor, then flows to QA. So where you start getting those complicated workflows, technology can help a ton. And the third example of, you know, kind of the more complicated circumstances would be when an organization has, you know, maybe it’s multiple physical locations that need to provision evidence for certain requirements or multiple departments that need to gather up similar evidence. Another example that I just, you know, that I was just thinking about too is in an organization where you’ve got kind of a corporate headquarters and they carry a certain number of the requirements overall for the organization, and then being able to share the common elements, you know, get corporate handling and basically share those down, either share them down to sub-organizations. So let’s say I’ve got a series of franchises or something along those lines, taking the corporate evidence and check boxing off the items on the separate tracks you’ve got for each franchise. Or alternatively, taking the detailed evidence from each of the sub-organizations and flowing that back up and into corporate, if your objective is to have one consolidated report on compliance or, you know, or compliance engagement, you know, the use of technology, you know, that is where really that technology is really going to shine and really overall caught an absolutely enormous amount of time, pain, headache, you know, out of it for your, you know, for your security and compliance people.
That makes sense. Parting shots and thoughts for the folks this week, Adam. Well you know we spoke earlier about this bad assumption you know that your existing you know IT resources you know really aren’t equipped for you know appropriate handling of a security and compliance engagement just because they can spell IT. You know I would highly recommend to an organization that’s subject to compliance whether they have an assessor involved or not, it is a really good idea to leverage an experienced security compliance consultant you know in kind of a pivotal way to both bolster the program you know, but it’s also important you don’t want the wolf watching the hen house so to speak, you don’t want the people that are that are responsible for executing certain controls within the organization also be the one’s provisioning going yeah, yeah that’s good you know that type of a thing, No offense I don’t care who it is, it could be me provisioning the evidence I shouldn’t be able to be responsible for a control and be able to say yeah, yeah it’s good, it is a bad way to go about doing it, it’s too much trust in you know you know in one arena and really for an organization that you know for most organizations the reason why they’re doing this at the end of the day the reason why they’re doing it is because they’re attempting to provision some protection for the organization, you don’t want the people provisioning the evidence being the ones that basically sign off on it. So getting that security compliance consultant into the mix that’s huge because now you’ve got somebody that doesn’t have a stake in the game somebody that is a third party to the evidence provisioner, somebody that you know they don’t have a vested stake in you know what was done right, or you know right or wrong because they’re responsible for doing it day by day, they don’t carry that burden. Their only goal is to make sure that it’s right. And so you kind of get that second set of eyeballs, a kind of neutral party to be able to go in and really at the end of the day, make sure, yes, we’re doing this properly. Yes, we’re collecting the right evidence for this particular control. I can’t tell you how many times on engagements, especially those where there’s not an assessor involved, where we’re helping the client basically navigate their compliance engagement, where the person doing the evidence provisioning is absolutely convinced, oh, no, this is exactly what we need and we’re doing it right. And like, no, no, you’re not. You really need to make some enhancements here. What about this setting? They have, in many cases, don’t even collect the right evidence to prove out the control, let alone whether or not they actually have all of the elements of said control validated as in place. You know, the two just don’t meet. So, you know, having that kind of trust but verify approach, that’s a big deal when it comes to security and compliance and really being able to increase the quality of the, you know, kind of the approach.
And, you know, we talked about it earlier, but security and compliance resources, there are good ones, quality ones. They actually know what they’re doing. They are very scarce. You definitely want to leverage those people for their specialty. You don’t want to be wasting time, you know, having them doing things that really aren’t within their wheelhouse. That’s a really expensive resource to just be squandering.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.