Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Mastering Compliance: Own Your Data, Own Your Success
Quick Take
On this episode of “Compliance Unfiltered,” The CU Guys dive into the intricacies of compliance management programs. They explore various implementation approaches, from manual spreadsheets to sophisticated systems, and discuss the importance of organizations owning their data.
Adam shares insights on the potential pitfalls of relying solely on assessor systems and emphasizes the efficiencies gained by leveraging internal systems.
Check out this episode to discover how to streamline your compliance processes and make your organization’s compliance journey more efficient and effective.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the bows of holly to your compliance Christmas. Mr. Adam Goslin, how the heck are you, sir?
I am doing fantastic today, how about you?
I can’t complain I really can’t want to take this opportunity to remind folks we love to hear from you. We want to hear your feedback and opinions about compliance unfiltered suggestions of funny stories. Your favorite cookie recipe we’re all here for it. Go ahead and send all of those things to compliance unfiltered at total compliance tracking.com today Adam, we’re going to have a conversation about the advantages and drawbacks of an organization’s compliance management program approach. So you always say life’s full of choices. So at a high level, what are the various implementation approaches that you’ve seen for compliance programs.
Well, I mean, in some cases, they’re using their own compliance management solutions. And in other cases, there’s many that just opt for the good old-fashioned spreadsheet and using some type of a completely manual approach with network drops or share points as a typical inclusion, et cetera.
You know, some people are kind of cobbling together their own series of internal tools and manual processes that they’ve kind of put together, depending on who’s running the program over the years and whatnot. Well, you know, you’ve got other organizations that, you know, they’ll simply just use their assessor-provided systems with the notion that, well, we need to get all the stuff in there anyway, so we’ll just use their system, you know, type of a thing. So it’s kind of a mixed bag would be a good way to go about putting it.
Sounds that way now you like to say that an organization that an organization needs to own their own data What do you mean by that? And why is it important?
Well, you know, you’ve got these folks that, you know, that do use their assessor systems, right? And the downside of that is that, you know, it’s on the organization to make their own program efficient, effective, work for them, you know, things along those lines.
And, you know, the reality is that, you know, depending on various circumstances, things change over time, you know, you may have, you may have, you know, there was a particular firm that you were leveraging and a particular person at that firm that you used, and they moved on, they retired, they got promoted, you know, I’ve seen it all. They got bought out, they went out of business, you know, things along those lines, maybe the relationship with whoever is your currently assigned point person this year isn’t as good as they were in years gone by. It could be the same person they’ve just changed. It could be that you’ve had some type of personnel shift, you know, things along those lines. You know, one of the things that we’ll see a fair amount is, you know, organizations that are basically getting bought out, right, and organizations getting scooped up and folded into another gigantic barhemoth, you know, type of thing. And so the relationship you used to have and the pricing you used to have isn’t the same as it used to be. So, you know, the reality is that things change, you know, all over the board. And so, you know, when you’ve got these modifications to, you know, to the players that are involved in your compliance program, you know, overall, then, you know, if your systems, quote, unquote, if your, quote, unquote, systems were dependent on, you know, this other third party and now something’s happened with said third party, well, now what are you left with? You know, you’re not left with anything. So, you know, it’s part of the reason why, you know, I say that, you know, the organization subject to compliance at the end of the day, you know, it’s on them to, you know, have the repository for their own information, for their own data, so they, you know, got it in a way that works for them. That’s the most important, you know, element for, you know, for these companies. They need to be able to kind of depend on having their own way of doing things and then, you know, figuring out a way to interface with, you know, with the various third parties that they’ve got to go and interact with.
Yeah. Now, I’ve heard this a lot, right? And maybe it’s about some semblance of plausible deniability. Maybe it’s nice to not have to think about it.
I don’t know what it is, but what are some of the unrealized downsides of simply leveraging your assessor’s system?
Well, at the end of the day, I mean, what a lot of organizations lose sight of, right? It’s funny the relationship that organizations have with their assessment firms, right? At the end of the day, they’re a vendor. They’re a vendor to your organization and whatnot, and yet some people walk into that relationship with such an extreme level of kind of blind reverence that they, oh, whatever those ushers says we need to do them, we just need to do it, type of a thing. And when you’re dealing with a vendor style situation, you’re really gonna sacrifice your own efficiency so that you can make their world easier. It doesn’t make sense.
There’s a lot of material impacts when the unexpected happens and the organization decides to switch their assessor for whatever. We just talked about a whole plethora of reasons why it could happen. But any one of those comes to fruition. You now have a situation where you’ve got this massive change, the storage solution that you were using is now evaporated. In many cases, it no longer exists or you need to migrate from this to that, that type of a thing. It’s a big upheaval. In many cases, the organizations kind of got used to using the assessor systems and maybe they even built some efficiencies into their leveraging of it. And now all of a sudden, all of that goes away. Not only does all that go away, but their storage of all of their documents for last year, year before, et cetera, that goes poof too. So even if the organization can go get an extract of the information from that system that they were using, in all likelihood, it’s coming at them in a zip file, some dump file from their system that’s going to be, at the end of the day, primarily unusable as they’re trying to build back up their program and whatnot. But the company literally will have to start over from that perspective of overhauling their system. And for most cases, what they’ll end up doing is they’ll end up having to hob-cobble something together internally, which creates, there’s all the blood sweat tears that went into that, followed by then the second slap in the face of now having to re-adopt to the new world, if you will, with whoever their new assessor is. So it’s a lot of upheaval. It’s a lot of wasted time, wasted effort, things along those lines. So it’s just, it’s a bad scene all the way around.
Well, what types of efficiencies can organizations subject to compliance realize internally?
Well, when they go through and they do, when they, you caught me, you caught me drinking coffee. So, you know, when organizations, you know, go ahead and decide to take an approach where they want to make themselves, you know, when they want to make themselves more efficient, you know, they’ve got a number of different things that they can depend on. You know, it’s interesting, as you see organizations, kind of the light bulbs start to twinkle, they start leveraging, you know, leveraging their own systems to manage their own compliance, you know, et cetera, and do so for their own purposes. It’s a lot of things.
You know, you look at a typical, typical compliance engagement. A lot of folks will look at the, you know, the only efficiencies to be gained are going to be from whoever is that internal point person or coordinator, you know, of their compliance. And, you know, really how many hours can we actually save there? Well, I mean, I can tell you that, you know, using a good, you know, a good compliance management system, yes, will save that person, that poor soul, you know, a lot of frickin’ time, pain, headache, stress, you know, et cetera. But it’s not just that point person, you know. You look at it, you know, when you’re going in, going into the, you know, to the system itself and, you know, simple things like just being able to open up the system and immediately tell because it’s live information, where are we at, who’s got what, who did what, did they actually do it? They said they were going to do it, did they actually do it, things along those lines, you know. So you’ve got all of those coming into play. You also have all of the time that that person would spend, you know, kind of sending out reminders. So a lot of the job of that poor individual is, you know, kind of herding compliance cats on an engagement. So, you know, it’s sending out reminders, hey, you know, Bob, you still have six items. Hey, Mary, I’m still waiting on your three, you know, Frank, you said you were going to do your stuff last week, but I don’t see anything yet. Things along those lines. So, you know, sending out reminders of what people need to do and, you know, and whatnot. So, you know, there’s a lot of that. There’s also the fact that even as the person themselves is going through, let’s say they receive some evidence, you know, if they now reject it back down, well, now if I’m using some type of manual spreadsheet, I’m having to go over there and manually update the spreadsheet with the status. No, I rejected this item and here’s why, you know, things along those lines. So, you know, as they’re doing it, not only are they, you know, having to manually handle the communication, but then they’re also having to manually update their, you know, the tracking system and whatnot. So, you know, those are a lot of the, you know, kind of the gains, if you will, that can be made, you know, from there. But, you know, it’s not just the person that’s at the center of your, you know, kind of your compliance universe.
It is also all of the control owners that are on the engagement because the control owners aren’t going to, even if it’s the same person that did the same item last year, they don’t remember what the hell they gave you last year, right? And so, what ends up happening, and I know I got compliance people are chuckling as I’m running through this rendition, but, you know, what happens? Well, we go start up our annual cycle and of course, everybody develops compliance amnesia. You know, doesn’t remember anything that they did last year, etc. And so, they’re asking questions, what is it you need again? What did I get? What screenshot did I give you? And you’re spending your time just trying to spoon feedback to the, you know, to the folks on your engagement, you know, kind of telling them or reminding them of what it is that you need to do and, you know, what are, you know, which screens did they provide you with last year and reminding them their assignments end in an end.
And so, the benefits, if you will, of leveraging, you know, kind of a systematic approach and some of those efficiencies is even it goes, it extends past the core person and it extends out to all of those control owners because if you can get those control owners just being able to get in, grab their stuff, get things done, you know, and whatnot, now you’ve got efficiencies that are being built not only for your core central person, but also for all of the control owners, their lives are made easier at the same time. There’s a lot of efficiencies to be gained kind of across the organization, not the least of which is, you know, one of the downsides when you’re on one of these compliance engagements is that, you know, and I talked about this in pods we’ve done in the past, the mad scramble as you’re trying to get to the finish line of your, you know, annual compliance cycle. And that mad scramble that ends up happening, well, everybody knows what happens when you get into that mode, you know, things get, you’re just trying to get things done. I’m, you know, maybe I had this storage repository where we had everything nicely and neatly stored and labeled and named and whatever and now I’m in the thick of it, right? You know, I’m not, I’m not following my name in convention, I don’t have enough time to go and duplicate the file into the right spot, I’m, you know, grabbing information, shoving it off, shoving it off in the assessor’s direction and, you know, kind of the repository for the last, I don’t know, maybe quarter or third of the engagement ends up just becoming a dumpster fire. And at the end of the day, you’ve got, you know, you’ve got a whole bunch of people that are, you know, they’re just winging and flinging and nobody goes back to clean it all up. But when you do have your system organized, now I’ve got a rock solid repository of exactly what happened last year, who did what last year, what evidence was provided last year.
It’s all at everybody’s fingertips as you’re starting into your engagement. It’s almost like somebody, you know, somebody decided to go flip the light switch, you know, type of a, you know, type of an eye opening event as they, you know, as they realize, start to realize there’s efficiencies that they can gain.
What would your recommended suggestion be for how organizations should set up their engagements and their compliance management systems?
I feel like getting you to do a she sells seashells, you know routine here. I think that’d be I think be awesome
Yeah, I’m sure you would enjoy it.
So, recommended setup. So, realistically, what you want is you want to have your own repository, your own system, gaining all these benefits for your own company first. Certainly, a lot of it depends on the complexity of the target organization, but many organizations have kind of like a multitude of control owners, maybe one or more standards or certifications they’re going up against. They’ve got certainly one or more systems that they need to gather up evidence from, et cetera. So, as you go in to start planning, putting together, putting everything together and staging it for a true compliance management system, thinking through all of the moving pieces and parts, et cetera, and really making sure that as you’re going in and making that selection or choice for your compliance management system, one, that it’s going to be a cost-effective solution and actually save you money, and then two, that the system is capable of handling all of the various things that your organization needs in terms of its complexity.
But it takes a minute. I would strongly suggest you work with the compliance management system personnel, look for their guidance and advice on how to go about setting it up based on your circumstances. So, walk in with your circumstances kind of ready to lay those out and then leverage both the tooling and the expertise of the compliance management system personnel to assist in getting your engagement set up. You want to make sure that as you’re going through your engagement, once I finish that first year engagement, that all of my kind of first year evidence, who did what, et cetera, that that’s all immediately referenceable so that you can gain those kind of additional efficiencies as you run into year two. And then figuring out, I would almost suggest do it as an afterthought. Don’t lean on, oh, how can I make the assessor’s life easier? Figure out how to make your own world most efficient and then figure out how can I get this information data over to the assessor. I mean, the best case scenario for your organization, undoubtedly, is if you can use the same system that you are populating with your annual compliance track evidence and have the capability to flow it through your tool to your chosen vendor, that would be your best case scenario because now I don’t need to mess with exporting the information of the data and kind of dumping that off or loading it back to the secondary system. If everybody can work from the same system, that’s your best option right there because now everybody is running off the same sheet of music and has the capability to kind of maximize their efficiencies as they’re going through and doing it. You want to look at things like communication from the target system. Your objective for your compliance management system should be that I’m not using anything other than the compliance management system to run my compliance engagement.
That’s when you have to win. In terms of communication back and forth, status, workflow, referencing elements and items from the prior year, you want all of that consolidated into the system because what we’re trying to do when we do this, we’re trying to eradicate text messages, emails, fly-bys by your desk, meetings where people are telling you stuff, SharePoint, file servers, voicemail messages, and you want all of that noise and you want to just get rid of it. That’s kind of your utopia when it comes to going in and getting your engagement set up properly.
For a lot of these organizations, they just don’t realize quite how much time that their organization could save and how much they’re sacrificing by just opting to use either wholesale manual, semi-manual internal tools or their assessor systems.
That makes sense, but I guess it boils down to like, how do you know, right? So like, what are some of the telltale signs that someone really needs to think hard about stepping up their compliance management?
Well, I mean, there’s some pretty evident signs as you’re talking through folks. Like, anybody that’s in IT, anybody that’s in the Security and Compliance Management Arena, I mean, you talk to people, you know, you hear buzzwords that, you know, come out of their mouth. And when you’re hearing things like, you know, the fact that they’re running their system through some, you know, through spreadsheets, you know, they’re using, they have drop zones for their file servers or SharePoint or something along those lines. You know, those are all keys.
You know, see, I’ve seen a number of organizations over the years that were trying to kind of solve the problem for themselves, you know, leveraging internal systems and maybe it was something that they developed themselves. Maybe somebody decided to put a, you know, put a, put a scan over top of a, of a back end database, you know, something, but, you know, the, when you’re hearing people having those conversations around, you know, kind of managing and maintaining their own internal systems, you know, those are, those are signs. When you hear the, talking about, well, they’re leveraging multiple certifications or standards, you know, that adds in a layer of complexity when they’ve got, you know, a multitude of solutions that need to be compliant in multiple locations that need to be involved in the, in the compliance evidence provisioning. You know, when they say that they are leveraging their assessor systems, I mean, these are all kind of telltale signs that, you know, that somebody has a tremendous opportunity, although they don’t realize it yet, to kind of step up their, their compliance management game.
parting shots and thoughts for the folks this week, Adam.
Well, at the end of the day, you know, we got into the space to try to help people. And you know, I just, I really, nothing makes my heart warmer than having light bulbs going on for folks, them realizing how they can, how they can make improvements, you know, within their world.
You know, the sad part is, is that a lot of the leadership at organizations just doesn’t realize how astronomically inefficient their own compliance management engagement truly is for their own personnel. And just trust me that, you know, your point person is going to thank you. The control owners are going to thank you. You know, it’s, you know, nobody, nobody wakes up in the morning, you know, fired up that we’re going to get, we’re going to do compliance stuff today. I mean, it just doesn’t happen. So, you know, the more that we can make their world a little bit easier, take a little bit of load off of them, you know, all that fun stuff, those are important elements. And the other side is, is that, you know, for those organizations that are kind of doing their own thing, whether it’s some manual system, whether it’s an internal system they built, the downside, the biggest downside of that is, like right now, we’re at PCI v. 401. You know, it was PCI 4 before that, and it was PCI 321 before that. Every single, that’s just one standard, right? Eventually we’re going to get a 4.1 or a 5.0 or whatever. When we get to that point, every single time that that standard changes, oh gosh, now I need to go in and gut and overhaul my, you know, my manual process for doing my thing or making updates to the internal systems, et cetera, it’s tough. You know, and that’s a lot of sunk time. I mean, do you really want your people rewriting your internal compliance management system or do you want them doing their jobs? You know, that’s the way that I look at it is. Just let them do their thing, you know, and kind of give the opportunity for them to leverage a good compliance management system. It will make them happier, you more efficient, and everybody will be thankful.
And that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Gosling. I hope we helped to get you fired up to make your compliance suck less.
