Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How To Regain Your Compliance Sanity
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd give the listeners the inside track on how to get their compliance ducks in a row, with help of a properly calibrated tool set.
Many organizations struggle with managing the different compliance frameworks they are beholden to, effectively. Curious how you can gain hours back in your day? Looking for extra cost savings in your current process, tired of having to constantly nag people for required deliverables?
Then you’re in luck as you’ll find all the answers to these questions, and more, on this week’s Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Mrs. Butterworths of your compliance pancakes. Mr. Adam Goslin, how the heck are you, sir?
I’m doing good, how about yourself?
And I can’t complain. But you know, I’m a busy guy, as a lot of folks are, right? I’m managing a lot of things and spinning a lot of plates, as they say, is commonplace. And a lot of folks in the compliance space are looking for a way to regain their sanity and manage multiple compliance standards effectively and easily. A lot of folks in this space, Adam, have experienced the pain of multiple certifications firsthand. Tell us why it’s so challenging.
Well, I mean, there’s a, there’s a lot of reasons, but I mean, you know, a lot of people have felt this pain, you know, your, your company needs to go through multiple compliance standards, such as maybe it’s PCI with HIPAA with SOC 2. I don’t know, throw an ISO in there, you know, a NIST standard, what the hell. Um, and you know, for, for years and for, for a lot of these organizations, the way it usually starts is they’ll start with one, right? Uh, we decided to be HIPAA back in the day and you know, then we had to extend that out to the second cert and then we had to extend it to the third cert and whatnot. So, you know, a lot of times, and it made sense how they started their journey, right? They, they started that journey with, uh, with a good old tried and true spreadsheet. And, uh, you know, and as the, as the monster has been fed, as it has grown, et cetera, um, you know, the, the, the, the folks have just been dealing with a larger and larger and larger level of pain, uh, related to how to manage all of this stuff, you know, their, their, their operational scope has, has, uh, you know, gone up. The number of people involved has gone up. The number of certs has gone up. The in some cases, even the number of assessors has gone up. So, um, you know, it, as you’re trying to wrangle that through all you’ve known, you know, all the way along, uh, and I totally get it, but, um, you know, so you, you end up just kind of, uh, grinning, bearing it and, uh, and dealing with is a good way to put it, uh, the monstrosity of manual, manual process and procedure, you know, um, you know, until, you know, and, and, and that continues to go along until somebody else pops out of the woodwork and says, Hey, you know, it’d be a great idea.Let’s go ahead and head down this new compliance route. So, you know, all of a sudden your, your work’s growing exponentially. You’re, you’re layering more and more stuff on, maybe you’re even doing, you know, company or company acquisitions and things along those lines. Now I’ve got, you know, multiple spreadsheets and, you know, multiple assessors involved in, and then, uh, you know, for a lot of the folks that, that sit in this compliance management and, or in the CISO space, you know, it, it almost feels, it almost feels defeating to try to manage your, manage your compliance, you know, it’s like herding cats. Well, it’s, it’s, it’s, it’s, in some ways it’s worse, right? They, they, they, oh, they, it’s, it’s, you know, if I only had five cats, I needed to go herd, then I might have a prayer, but the problem is, is the cats have kittens and, uh, you know, and some of them have attitude problem.
Some men said some cats have attitude problems
And, uh, you know, I don’t know, let’s, let’s just, let’s continue with this analogy, you know, all of a sudden there’s like, there’s one assessor. So in the cat herding world, maybe the assessor is the stray dog that comes down, you know, kind of comes down the street to just break up the party and make it exciting. Uh, you know, all of a sudden now, now I got two stray dog, a three stray dog. You know, it’s out of me while you’re trying to herd cats. And yeah, it’s a, it’s, it’s a nightmare. Long story, really. Um, you know, and you know, the reality is, is that, you know, they, they get into this mode and you feeling like it’s just overwhelming, you know, it’s what we did last year, we’re going to go ahead and start the circus music again, you know, and do the same damn thing we did last go around. It’s just going to be worse. And, uh, you know, it sucks for everybody and, you know, especially when you’ve got the multiple, you know, multiple compliance certifications. And so, you know, folks don’t need to be, uh, don’t, don’t need to be killing themselves to, to, to, to navigate the waters. And what I found with a lot of folks in the space, you know, we talk to a lot of assessors, but, you know, we also end up talking to a lot of folks that are, I call them applicants in this space, those that are applying to be certified. And, you know, for those folks that are subject to some type of a security compliance standard certification, um, you know, in many cases, they’re in the, the same damn boat, right? Uh, subject to, uh, you know, subject to the, uh, uh, uh, a monstrosity of their own making, if you will, uh, in terms of trying to manage their way through it. And the other reality is, is that, you know, when, when we started, when we started into this space, when I, uh, one of the light bulb went on for me, oh gosh, probably about a fifth north of 15 years ago, um, that there’s a better way to go about managing this stuff. It quite literally was because I had a background in application development. I knew I could do a better job at being able to manage these engagements. I’d seen it from all sides and I wanted to literally light a match to all of my effing spreadsheets. So, um, yeah, it was a, uh, it was a pretty cool time to go ahead and, uh, you know, it’s kind of see this all play out, but, um, it’s, it’s not easy. It’s, it’s not easy. And the biggest problem for those that are in this mode is that they don’t have enough time to go and figure out what, well, what should I do or what can I do or, you know, or, or whatnot. They just literally start the circus music again and go do the same thing that they did last year. And, and, uh, that’s what we’re, uh, that’s what we’re trying to help folks with.
Well, how can folks leverage automation to streamline any compliance standard?
Well, I mean, it doesn’t matter really what compliance framework that you’re, you know, that you’re leveraging the, the, the TCT portal. Part of the reason why I didn’t name the company, you know, PCI, you know, PCI compliance or name the tool, the PCI tool, you know, type of a thing, um, is because I literally wanted the platform to be able to handle any form of industry standard, uh, you know, compliance or, or, or certification. And to that end, um, you know, the, the portal officially went up, running in live north of a decade ago at this point in the game. Uh, and you know, it now supports more than 80 different compliance standards.Uh, we continue to add more standards to the platform based on when we have clients that have a need. So, um, you know, what we tell the, the, the folks that leverage the, the TCT portal is, I don’t care what you’ve got. It’s an industry standard, you know, framework. We’ll go, we’ll go at it. I remember when we, uh, you know, so we’ve got things like, you know, uh, I’ll come back to this in a second, but PCI, we’ve got, uh, all the flavors of PCI. We’ve got SOC 2, we’ve got, uh, various flavors of NIST. We’ve got HIPAA, we’ve got ISO 27001. You can find CMMC and CCSS and, you know, less common standards EXO star and, uh, NAID and that’s a, that’s a good one. North American information destruction, uh, you know, standards. So there’s, there’s a, and there’s a whole bevy of others. Bottom line is that, you know, like go back to NIST CSF. When NIST CSF first came out, um, you know, we, uh, you know, we were aware that it, that it had, it had arrived. We had one client said, Hey, I really want to go use NIST CSF. No problem. We will go ahead and get it. You know, we went ahead and got it loaded up onto the, onto the platform and no joke. It was in, I think it was within two weeks of it actually going live. We had three other clients pop it out of the world. Okay. We’d really like to take a look at the NIST CSF and it’s like, that’s just the way it’s rolled, right? Since, uh, since the beginning. So, you know, I tell folks that, you know, it doesn’t matter what industry standard, uh, certification, uh, standard or certification that you’ve got. If it’s, if you’re a paying client, it’s not on our system and we, and we can add, add the content and we’ll certainly go ahead and do it, uh, and get it integrated right into the TCT portal. We’re not going to charge you to make the, you know, to, to improve the breadth of certifications that the TCT portal can handle. That’s part of our job.
Now, how is duplicate work reduced through the use of the TCT portal?
That sounded quite prophetic. You know, one of the, one of the seriously painful elements of managing multiple compliance engagements is how much duplicate crap that you got to do. Um, you know, yeah, I’ll put it in an easy context, right? Most standards are going to require that you have an information security policy. Most standards are going to require you to be doing things like security awareness training or having a data flow diagram or having a network diagram or having firewall rules, whatever it may be. And, um, so what you end up doing is number one, you end up fulfilling the same requirements or damn near, uh, across these various standards, using the same evidence, you know, in, in a multitude of places, uh, you know, and whatnot, and, you know, you just got to ask yourself, what if instead of managing, you know, through these disparate client and compliance engagements, you know, what if you just had, you know, one main standard that you wanted to go through and manage, and then the TCT portal can go and do a lot of the heavy lifting, you know, how much, how much time, frustration, you know, would that eliminate for an organization?And the beauty of it is the TCT portal has already has the capability for, you know, going through and literally evaporating, uh, all, all this duplicate work, duplicate tasks, et cetera. It doesn’t matter how many standards you’ve got, you know, you go, you load, upload each piece of evidence once, you know, et cetera. So as you’re loading up your stuff for AV, nip diagrams and inventories and, uh, you know, and whatnot, you know, this is, let’s say you load it up to your PCI track and PCI is a very, you know, relatively prescriptive standard. Uh, and now I can go ahead and map that off against my SOC two or against my HIPAA, you know, et cetera. You can kind of go in there and set up, uh, set it up so that you can manage all of those multiple standards in one spot. We use mapping, you know, behind the scenes to go through and map the elements from PCI off to the secondary standards. We also have the capability to kind of identify those elements of the target certification that don’t cross over. So as an example, in, um, in HIPAA, um, you know, in HIPAA, you’ve got a business associate agreement that you need to, that you need to have a template for. You need to show that you’ve, um, invoked that within the, the, the correct vendors, et cetera. So while the vast majority of your HIPAA engagement is inheriting off of your existing PCI track, we can set the, you know, the business associate agreement and related tasks right into the hands of your team so they can keep moving on that HIPAA track, uh, with the business associate agreement. Meanwhile, inheriting the vast bulk of the things that are needed for the remaining, uh, elements of HIPAA, those will just automatically come over as they’re cleared within the PCI engagement.
Um, and all of this, this happens without you touching a thing. Um, all you have to do is go in and, and, and kind of dial in your, your PCI engagement, we’ll, we’ll, we’ll work with the, with the target organization to get everything, uh, put together and, oh my gosh, just that move alone. Uh, you know, I can, I can kind of hear the, you know, the, the poor, you know, folks that have to do the managing of compliance. I used to call them the folks that were in the eye of the compliance hurricane. You can just kind of hear them, you know, with the clouds, parting angels, singing and all that fun stuff, because he’s a gigantic paid in the ass. He really is.
The vision of you as a cherub is fantastic. Um, how can companies consolidate all of their requests into one simple list?
Well, you know, what I just talked about, right, I just talked about going through leveraging kind of a more prescriptive standard, uh, in the mapping that off against less prescriptive secondary standards, right? That’s one way to do it. An alternative, uh, and, and for a lot of organizations, they have spent an inordinate amount of time because they’ve run into these problems. They’ve seen all of this duplication. I mean, hell, if I just take PCI and I just look at, uh, you know, let’s say that the company has kind of the, the one overall information security policy to rule them all mentality, well, they could literally use that policy doc and apply it against hundreds of items, uh, you know, across the, the, the PCI framework. Right. So do I really need to go and, and, you know, spend the time to connect the same information security policy to these multiple hundreds of items, just on a PCI engagement, let alone, you know, the, the, the number of places I would need to go in and connect it to on an ISO standard or on a CFS, et cetera. And the long story really, really short is, oh, hell no. Um, you know, the, the, the alternative way to go about doing this and what these companies have done is they’ve already run into these roadblocks. They’ve already had to go figure all of this crap out just to, just to try to save their own sanity. And they’ve created, uh, you know, either the company has created a list. This is the, these are the unique things that we need to go and collect across the course of our annual security compliance engagement, or alternatively, uh, the, you know, it may very well be that their security and compliance consultant or their, uh, or one or more of their assessors has said, Hey, here’s the stuff we need. Whatever the source may be. Um, in, in a lot of cases, people have tried to make their world more sane by creating this kind of one list. Right. And the cool part about the TCT portal is that while sure I can go load any industry standard, uh, industry standard, you know, for, uh, or, or certification to the platform, it also allows me to go ahead and load up what we’ll, we’ll call a custom framework to the, you know, to the platform. So when I’ve got these organizations that whatever the source may be, uh, they’ve got a unique list of things that we need to go ahead and collect and they know where all that stuff needs to land. What I can do within the TCT portal is I can take their list in their words in terminology that makes sense to them with guidance that they can provide, uh, you know, and what I’m literally put, put their own information collection list within the system and then map that off against all of their, you know, their various target standards and whatnot. Um, and it doesn’t matter then at that point in the game, how many different security compliance standards they need to go up against. Now they’ve got this one list. And even if they were to, as an example, let’s say that they had gone up against PCI and, uh, uh, PCI SOC 2 and HIPAA, and then they decide, Oh, well now we need to go ahead and go up against NIST CSF.
Well, instead of now having to reinvent the wheel, instead all the, all that organization now needs to do when they come to that decision is they need to figure out, you know, they need to coordinate to figure out what are the elements of NIST CSF that we need to specifically gather evidence for that isn’t already covered in our single request list. Uh, and then we can go dial on in the background, their target, you know, target certification so I can go and put it, put the NIST CSF track out there. And with the updates to their single consolidated request list and their NIST CSF track, as they’re filling out this request list, it’s automatically populating to all the right target, you know, location. So a lot of times what I’ll see folks doing is that the client themselves, uh, will deal with, would not deal with, but they, they will interact with the, uh, the, the custom lists that they put together. Um, if they’ve got a consultant to our assessor, they’ll oftentimes work as well on that single consolidated list just to go in and do their vetting, validating, et cetera, and then as those items map off to the, to the secondary or target standards, uh, then, uh, the, the assessors will basically, they can go in and leverage just the industry specific or the industry standard, uh, or certification tracks and go through those and do their additional validation, vetting, reporting, QA work, things along those lines. Um, so all the way around, uh, when you, when you go this route, uh, I mean, I think organizations would find it challenging to, to, to streamline their overall, you know, kind of security and security and compliance program, uh, in a more effective way.
Well, what options do companies have for how to apply their Streamline Compliance Team savings?
Well, they have a lot of options, right? I mean, you know, we’re talking now about just, um, right now we’re focused on the compliance of the compliance team. And you know, with the, when you’re using appropriate tooling to make your world better and more sane, um, then it gives you choices. Um, so now I can do more with less, um, you know, before you were, you continuously felt like you were understaffed. Um, you know, now when you move into a world of leveraging, you know, automated and tell it the automated intelligence of the, of the TCT portal, you know, now you’ve got the ability to, to go in and, uh, keep your compliance engagements under control, do it with a smaller team. Uh, and now we, I’ve got options.I can go ahead. I could deploy redeploy my resources to, you know, make more effective decisions about how you want to consume, you know, the, the, the people’s hours that are on your team, if you didn’t have the TCT portal, you quite literally would be light, pouring gasoline on and lighting a match to either hundreds or thousands of man hours as you watch them, you know, watch them burn away, uh, where now you can kind of reclaim that, you know, reclaim that time, uh, and go put it to good use, the, the really interesting part about, uh, especially those resources that are, uh, that are in the security and compliance arena, um, because of the fact that these people have to have, um, in order to be effective in the, in the compliance management space, they have to have a great breadth and depth of capability. These are folks that you could leverage in a lot of different places within your organization. Um, they’re usually not inexpensive resources either. So, uh, you know, bringing that power, you know, back to other, other functions within the organization, that’s huge. You know, you, you really get to be able to leverage some high powered, high powered resources and, and deploy them on things that quite frankly are more important and worth their time than them just running in circles, you know.
Yeah, that makes sense. Now, how do things like weekly status meetings be readily facilitated?
Well, weekly status is one of my favorite parts about this. For those that haven’t had the experience of leveraging a really quality compliance management system, this is probably, for me, this is one of my favorite parts about the damn system is that, and back in the day, I literally, I wrote the system I wished that I had when I was struggling with going through compliance. That’s how this all came about. You know, the status at a glance, even if you’ve got multiple teams, a ton of people, et cetera, when you’ve got multiple certifications, you probably have various internal groups that are responsible for every element of each of these certifications. You know, you’ve got multiple teams. They may be disparately located. They could be sprinkled all across different countries, different parts of the country, whatever it may be. So, you’ve got a lot of really challenging coordination that needs to happen. One of the bigger problems is that every single one of these people, well, they have a day job. Their day job isn’t, hey, you know what I feel like doing for the next four months solid is, I just wanna go put my head down and fall asleep at night on my compliance handbook. You know what I mean? That’s not happening. You know, they got their own stuff to do. There’s competition for time. You need to make things effective and whatnot. And it is a freaking gigantic job to be able to figure out who’s got what, where’s it at? Did they do it yet? Have they, you know, have they done any work on this item? Have they passed it up for internal review? Is it already gone up to the consultant or to the assessor, you know, what did they say? Did they approve it? I don’t know. You know, interest, just, just literally trying to keep track of all this crap is, it is an effing nightmare. And so the TCT portal, one of the beauties of this is, it automatically, this is a live dashboard of what’s where. It’s a live system. So instead of what I used to do back in the day, I used to spend for every client engagement that I was working on, I would spend two to four hours in advance of the status meeting, just trying to figure out where everything’s at. I can just go, I can just literally go open up the portal, go to the client engagement and at a glance, I can see who’s got what, what, when did they do it? How many things are still in their hands, et cetera. It’s life. I can go to, and I can see the history of who’s done what, what they did, you know, in more, at a more detailed level. I can, I can tell from that side as well, but I can, quite frankly, walk into a compliance status meeting with either. It depends on how good you get with it and everything, but I can walk in with no prep and literally just open up the interface and peruse it for 30 seconds as we’re starting the meeting, you know, that type of thing. Maybe in some cases, any five minutes to just check a couple of things out, but gone is the multi-hour preparation process, you know, et cetera, you know, to go in and do it. And the worst part, I know that, I know there’s people listening, they’re chuckling right now.
The worst part is, so I go in and I start, like it’s human nature, right? Human nature is if I have a meeting, I’m going to start winging and flinging. So you’re coming up toward the status call. I think I’m being brilliant and whatever. The status calls at 1 p.m. So I’m going to be brilliant. I’m going to go ahead and get online early, maybe kick it off at 7 a.m., spend from 7 to 11, you know, kind of get my arms around things and whatnot. And you want to know what fricking happens every fricking time is that I go in, I start gathering up my, I’ve identified where all this stuff is at. By the time that I finished, you know, looking at the stuff for Bob and Fred and Mary on the team and I’m moving on to other people, I’ve collected up where’s this status at? And let’s say I wrap those guys up by 8.30 or 9 o’clock. Well, now at fricking 10, right? Because we had a one o’clock meeting today. All these people come out of the woodwork and start whipping, you know, various elements of evidence. So what happens? I go and show up at the meeting. I’m like, Bob, I saw, I was checking things out and I see that you still have this and this and that and this and the other thing that are overdue. And yeah, I really need this stuff. You said you were going to get them done. Oh, I’ve submitted those already, really? You’re getting caught off guard in meetings and you end up wasting cycles, circles, you know, et cetera. The staff themselves took, you know, used to take about an hour of just, you know, dragging through all of the ridiculous BS. I’ll tell you what, being able to go check out status without all the associated bullshit. Oh my God, it is glorious.
Now nagging for those supplying evidence can be a gigantic pain. Tell us more.
Oh, that used to be some of my least favorite things to do. So what I used to do back in the day is I’m sitting here with this Excel sheet. I’m going through everybody’s stuff. I’m trying to figure out what all they’ve got. I’ve got it in Excel. Well, what I was doing is I was, I’d go and send an email to Bob and I would go to my Excel sheet and I’d copy all the things I was showing as open for Bob, paste them in, put them into the thing of a Bob. Hey Bob, I really need your stuff, blah, blah, blah, blah. That’s one effin person. What happens when I get 18 people, right? I’m stuck trying to whip send 15 to 20 emails to everybody on the team. You know, then the worst part is that I start getting, now they start responding to me through the emails. I’m getting emails, text messages, and phone calls. They’re stopping me in the hallway, dropping stuff on the file server end to end to end. I can’t keep up. I literally can’t keep up.I’m drowning in this stuff. So it was a gigantic pain to do the reminding. However, when you’ve got multiple certifications and you’re trying to keep your eyeball on it, I would get questions all the time. Things like, hey, what items do I have again? And I’d have to go and do that manually back in the day. What did I give you last time for this item? And because of that human tendency to put everything off to the last second and then have some oh crap moment and try to go through all the tasks that last second, you know, you’re basically, you’re on these people’s case. And again, we talked earlier about the competing priorities and things along those lines. I mean, the more you can empower people to go in, self-serve, get their own answers, et cetera, it’s all right there in the portal, you know. Go log in, I can see exactly what items I’ve got. Go log in, like if you used the TCT portal last year, go log in, I can see exactly what evidence I supplied last year for this same item, you know, et cetera. So it streamlines the hell out of all of those activities and the system automatically will wake up every morning and remind the people on your team, hey, you’ve still got four items open. You’ve still got two items open. The beauty is, the minute that the person on the team wraps up this, you know, their items and they clear their queue, they stop getting emails. Well, guess what, if in two days from now, the consultant or internal QA or the assessor goes through and says, hey, that’s great, but I also need to fill in the blank, then they’ve got the option. The best part about it is that the TCT portal is automating all of that. It’s sending out these emails, sending out the notifications, reminding them. When you get something back from internal QA or the consultant or the assessor, now the system wakes up again. It starts sending emails, hey, by the way, you got one item. So literally all you need to do is just number one, train your people, pay attention to your daily status emails. Because if they do, then they’ll know exactly that they’ve got items that are due, things on those lines.
So it automates all of the nagging. The better part, the best part actually for me as somebody that’s kind of trying to manage or wrangle the damn engagement, is that the people on that team, they don’t have one iota of an excuse. Geez, I didn’t know I had three items. Yeah, you did. You got an email every day for the last three weeks. You know what I mean? It’s glorious. So it just makes it really, really easy to be able to keep your finger on the pulse of what’s going on as you’re going through your engagements without just basically lighting a match to all of the time that you would have otherwise been composing these emails. And it’s not just as you go into the status meeting. I was doing these reminder status update emails. In some cases, I would have to do that three or four times a week just to try to keep everything moving. Especially as we were starting to get toward the deadline, it started to ramp up. So initially it’s once a week on Mondays or something. So everybody can start on the right foot and get their stuff done. Next thing you know, you throw a Thursday in there. Next thing you know, we’re starting to get near the deadline. We really need to move. So you throw another day in there. That’s just kind of the way it goes, but yeah, it sucks.
No doubt. Now what about those organizations that may have multiple assessors?
Well, if you got multiple assessors or multiple consultants or whatever the case may be, we talked earlier about kind of how that, how that, what’s the word I’m looking for, how it progresses as organizations get their first cert and then onboard a second and then onboard a third. A lot of times what people found, especially over the years was, when we started off with HIPAA, that’s great. Those people knew HIPAA, but now I need to go and do PCI, but my HIPAA person doesn’t do PCI. So now I need to, what typically happens is, I go and I bring in that PCI QSA. Now all of a sudden they, somebody pops out of the work and says, oh, well now we need to go with ISO 27001. Well, the person that does HIPAA doesn’t do ISO, they also don’t do PCI. The PCI group, they do PCI, but they don’t do ISO. So now I got a third one in the mix. And after a while I’ve seen organizations that have had as many as like five different assessors, depending on what that mix looked like. Eventually light bulbs start to go on, they move kind of up the food chain that consolidate, things along those lines, but it doesn’t matter if you got one assessor, if you got five assessors, it’s irrelevant.As you’re going and using a compliance management system, like the TCT portal, you don’t want all this extra effort of coordinating with this assessor, that assessor, the other one. You can go ahead and assign, let’s say that assessor one needs to do the work on two of your different certifications and assessor two needs to do work against one, and assessor three has to do work against another two types of things. You got three total assessors. We can allocate and assign the workflow on each of your kind of end resultant engagements. We can do that through the portal. It makes it seamless. And so each of your assessors can go, they can see all their information in one spot, specifically for the tracks that they’re responsible for, and not be able to see the work of the other assessors on the other tracks and whatnot. So for those organizations that are in that mode of kind of going through it with multiple assessors, yeah, it makes it extremely attractive to be able to go down that path and have the allocated workflows be appropriate based on their circumstances.
Parting shots and thoughts for the folks this week, Adam.
Well, I had a long story, really, really short. I try to make it as simplistic and direct and straightforward as humanly possible for folks. And when we started TCT, we set out to make managing compliance suck less. We can’t make it go away, but we can certainly make it suck a hell of a lot less. You know, for those folks that are dealing with multiple compliance engagements and all of the other complexity, I mean, they know, you know, kind of the pain that they’ve gone through year over year. It’s almost like a pain that they’re used to, but just keep in mind that leveraging technology to take useless crap off of your plate, you know, it’ll end up allowing you to automate up to 65% of your engagement. And I mean, we talked earlier about the fact that you had, you know, just the compliance team and how much more sane it’ll make it for them. You’ve got to understand as an organization, this isn’t, I’ve heard this comment before, oh, yeah, yeah, yeah, that’s just a tool for the just the people in the compliance management arena. That’s not true. You know, the benefits that you get out of moving into compliance management, they are way the hell bigger than that. Yes, for a single group, the one single group that’s going to benefit the most absolutely is your compliance management people. However, you’re also going to gain a lot of ground when it comes to, but it’s at a smaller scale across a broader spectrum. So you’re going to save time, just not at the same, you know, kind of relative volume, but you’re going to save it over a much broader group of people, which is all of the folks that are provisioning evidence. Their world is made so much better as they go through this.They’re not having to, you know, go ask questions about what do I have and what did I give you last time? And I thought I submitted this to you, and it’s in the system. You know, the beauty of a compliance management system is this, I talked earlier about having to check, talk to people in the hallway and check my text messages and then listen to my voicemails and look for post-it notes somebody left on my desk and there, of course, I’m in some other meeting and they, you know, somebody will tell me, oh yeah, I did, blah, blah, blah, just, you know, and I put it here. I’d be writing notes on pieces of paper, you know, emails. It just, the amount of cat hurting was just effing ridiculous. You know, as you get into here, one of the big things that I tell folks that are leveraging the TCT portal is I say, look, get all of, get everything into the system, because why? Well, now I don’t have to check all of these other places. I literally had a conversation with somebody earlier today where I would say, I was telling them, like, look, don’t send me an email about fill in the blank, go put something into the, you know, put comments into the, you know, into the system, you know, and whatnot, because then we all only have one place that we need to go look for information. It’s beautiful. And dude, it just saves an astronomical amount of pain. And that’s exactly why we got into this space.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
