Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Mistakes Organizations Make with Their Assessor
On this week’s episode, we dig into the assessor realm a little deeper to understand the common mistakes companies make with their Assessors. Why are organizations so scared of Assessors? Are companies engaging their Assessor too late? How are you prepping for your onsite? Are Assessors actually humans or are we dealing with cyborgs??? We’ll cover all these topics and more, on this week’s episode of Compliance Unfiltered!
Highlights include:
- Why are organizations so scared of Assessors?
- Mistakes companies make
- Should you hire based on price?
- What about presentation style when delivering info to the Assessor?
- Prepping for the annual onsite
- Are Assessors REALLY human?
- Mistakes regarding evidence storage
- Parting thoughts
Remember to follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who just looks the scary of compliance right in the face and punches it in the mouth. Adam Gosling, Adam, how the heck are you? Ha ha ha ha ha ha.
Hold on a second. I’m finished whooping somebody here. You got it. I’m doing well
Listen and I’m glad to hear it, man. We’re having a conversation today about some things that can be a little daunting to some folks. And so having somebody on their side to give them a light and a dark tunnel is certainly something that a lot of folks will view as helpful. And that is, we’re talking today about mistakes that organizations make when it comes to their assessor. So why are organizations so scared of assessors, Adam?
Well, you know, it’s interesting, right? I mean, different companies and, you know, I’ve had the experience of dealing with it, going through it myself, dealing with it as a, you know, consultant to, you know, to compliant organizations or alongside assessors. So I’ve kind of seen it from all angles, but it is interesting, especially for the organizations that are first headed down the path of compliance and they’re going through their first annual audit. You know, it’s almost like there’s this mystique associated with the assessor, all the assessors here, you know, that type of thing. And so, I don’t know, it’s almost like they carry, the organizations carry this feeling that all are the assessors, this judge and jury, and they’re just gonna, you know, issue their sentence and, you know, it’s like, you know, you gotta just calm down a bit, you know? I mean, it’s almost like they have some certain reverence around the, you know, around the assessor, you know, type of thing. I mean, they didn’t float in on a cloud or, you know, fly out on wings or whatever, you know? Just, you know, just calm down a little bit. We’re gonna be just fine, you know? But I’ve literally, I’ve seen companies, they’ll send out like all points, bulletins, you know? Hey, fair warning, the assessor’s gonna be here. It’s more warning. And then the assessor pulls in the parking lot, people’s faces are stuffed in windows and whatnot. He’s over here, you know, it’s like, oh, calm down, just calm down, everybody’s gonna be okay, I swear.
So there is I I can just get a picture of that in my mind now. Let’s let’s go
You think I’m joking, I’ve literally, the funniest part is people like parting blinds and stuff and the assessor’s walking up and they see three or four sets of blinds all shuffling in the window and whatnot.
Well, I mean, we’re at the precipice. So let’s jump in with both feet. Let’s get going through the mistakes here. Let’s start with, you know, what mistakes are made when it comes to engaging the assessor too late.
Well, you know, the reality is, is that, you know, everybody’s human, right. And, and, you know, they’ve, they’ve been at the point at which they’re going through, you know, kind of their, you know, their first assessment, they’ve already, they’ve already, probably, you know, been faced with having to pour over gobs and gobs of documentation and hours on Google and trying to understand what is it we need to do. And, you know, for some organizations, they, you know, kind of see the light and, you know, they’ll eventually, you know, they’ll either suffer their way through it, which is, which is what I did my first time. Or they’ll, you know, especially now where there’s a more availability, you know, of resources that can provide assistance, you know, they’ll bring on some type of like a consultant or something to kind of help navigate the waters and whatnot. But, you know, the bottom line is, is that these companies, they seem to take on generally this premise that, oh, my God, we, we, everything needs to be 100% buttoned up before we, before we have the assessor, you know, there, and, you know, engaged and blah, and they get so knotted up in making sure that every single thing is perfect. And meanwhile, you’re literally watching months passing, you know, it’s like one of those movies where you know, you’re just watching the sands of time flying by type of thing.And it’s like, listen, you can’t sit waiting for everything under the sun to be absolutely perfect. Would that be ideal? That basically the assessor walks in. And you know, all of a sudden, the clouds part angels are singing and they spend a half an hour there tell you you’re perfect walk away. Every company would love to have that happen. But it’s just not reality. I mean, there’s, there’s so much breadth on any given compliance engagement that, you know, that you’ve got, you know, you just you’ve got a number of, you know, you have a number of paths to, you know, to kind of head down. So, you know, what I typically tell people is especially when you know, we’re going to need to bring in this assessor. The one thing that they miss in this is that getting the getting the assessor into your kind of engaged, get them into the mix, get their, you know, kind of buy in on what’s going on, things along those lines, those are all important elements, as they’re kind of going through, going through the process. And so you want to make sure that you’ve got your assessor kind of on your side that they understand what’s going on, they can participate in making some of these directional decisions. You also want to make sure that, you know, that you’ve got their buy in, right? If I’ve got eight ways that you possibly solve fill in the blank, then you know, you want to be able to take the, you know, take those options, decide which ones are going to kind of fall into the, you know, these are the eight options, these are kind of my, my, you know, top three choices, then have the conversation with the assessor, get them engaged in it.
There’s a couple of advantages there. Number one, they feel like they’re more part of the process. Is that as they, you know, as they go through and provide said blessings for fill in the blank, the interesting part is that now, not only have you brought them into the process, not only have you consulted them to say, hey, what should we do here, they get a sense that they can contribute. But because of the fact that they’re the ones that gave you the recommendation or the suggestion or affirmation also provides a certain amount of safety, if you will, as long as you did what the assessor said, yeah, go do it that way. I got a ton of background noise, just a heads up. So if you got the assessor on the same page, then what ends up happening is that now you don’t run the risk of getting down the road. And the assessor go, well, that’s not really going to pass muster. So you get these companies that they want to kind of get to that perfect moment. And then they’re just bent about the fact that, oh my gosh, now we thought we were done. And meanwhile, the assessor disagrees on six different things and how we did it. Now we’ve got to go back and fix things and all that fun stuff. So that’s part of it for me is just making sure, get those assessors in, get them on board, make them part of the process. It’s actually really going to help you when it comes down to getting through the assessment process.
Well, what are your thoughts regarding hiring based on price? I mean, that’s a standard question.
Sure. Well, I mean, with anything, right? Um, you know, I don’t know. Let’s just use, uh, let’s just use a carpenter, be, be an easy example. You’re going to go out, you’re going to get prices from, you know, from five carpenters and, you know, one, one carpenter wants to do your job for $120, the next car, you know, and then that’s at the top end of the food chain, you’ve got a carpenter that’s going to be $5,000. Oh, this is for the same job, right? I mean, you know, it, it, it makes logical sense. Although, you know, for, for a lot of organizations, they, they drive based on price. Certainly the internal, you know, CFO style function, whoever’s watching the books and things along those lines, they’re, they’re going to obviously want to get the most cost effective solution that they can. Uh, and so they’re obviously pressing for, I’ll just go with the lowest.Um, you know, the, the, the reality is, is that if you, you get what you pay for is, is never more true. The, well, how do I say this? You get what you pay for, it certainly comes into play when it comes to assessors. So if you go with the cheapest option, if you go with the cheapest option, well, then, you know, you’re, you’re definitely going to get what you paid for. Um, you know, you’re going to get somebody that’s not really engaged. I mean, if you think about it, right, the amount of dollars that the assessor makes are directly commensurate with how many hours they anticipate, you know, being there. So I don’t know. Let’s just say that the, an assessor makes, you know, $250 an hour, quote unquote. Well, if you’re, if you do the math and then you can pretty much, you know, figure out how much time is the assessor actually planning on doing this. And so if they’re only going to be putting in 10 hours into your assessment or six hours into your assessment, well, then, you know, it’s, this is going to be whitewashed and, you know, it’s going to be making a whole bunch of assumptions, et cetera. So the cheapest one under the sun isn’t really the, you know, really the right way to go. Um, and yet the ones that are, you know, at the top end of the pricing, here’s the interesting part, the most expensive of the firms that are out there. So, and this typically comes down to like the really big, you know, really big, you know, consulting, you know, uh, you know, consultative and assessment style firms, you know, their, their model is to, you know, is to, to basically bring on the vast majority of the staff are people that are relatively new to the space. They try to get them, you know, early in their careers. You know, the, the frontliner, you know, personnel are the ones that are kind of learning the ropes. And then you’ve got a layer of middle management that here divides oversight for the, you know, for the little ones type of thing. And then you’ve got, you know, somebody, you know, upper level of management that watches over the middle management is a typical model for the vast majority of kind of the big firms. And so, you know, you end up, you end up paying the dollars, um, at that high end of the food chain.
Um, and, and yet what are you going to end up with day by day? Well, you, you probably ended up with some noob with, uh, you know, a, you know, I’ll call it a relatively low, uh, you know, level of over, moderate level of oversight for middle management and almost no oversight from upper management. And so, and yet you’re paying the bill. So where does it make sense to fit somewhere in the middle would be my recommendation. Um, you know, certainly, um, you know, don’t do it on price. Um, somebody that, you know, has gone through an assessment has worked with a firm, you know, et cetera, you know, talk to your connections, talk to people, you know, ask questions about their experiences, solicit, solicit recommendations, you know, that type of thing. That’s honestly the best place to go in and start. That said, um, you know, I would also, if you’re working with somebody, um, security compliance consultant, et cetera, go to them because I can tell you as a security clients consultant, I’ve dealt with dozens of, of, uh, different assessment firms. I can certainly, you know, provide folks with recommendations for, you know, what, what do you think about this one? I want to keep looking. What do you think about this one? Oh, there are rock stars, you know, um, you know, you just, you get that feel based on, you know, being in the space and, and, and having the experience, um, you know, and certainly there’s a, there’s a certain measure of kind of, I don’t know, fit, if you will, with the, you know, with the, um, culture. And we talked about that, I think on the last podcast, the culture of the assessment firm, um, you know, and how that kind of fits into the mix. So yeah, don’t make it on price. That’s a, that’s a gigantic mistake that a lot of folks make.
So what about the presentation style when delivering input of the assessor?
Well, I don’t quite know how to put it other than, you know, just make sure that you’re not presenting issues tactlessly. You know, there’s a, there’s a certain approach, if you will, to, you know, discussing things with an assessor. Yeah, they’re not judge and jury and, you know, and all that fun stuff. But in the grand scheme of things, do you want to necessarily be exposing like everything under the sun about what’s behind the curtain. You know, not necessarily, you know, you want the assessor to have to have a sense, you know, certainly when you get to the point where you’re ready to go in and do the, you know, do the onsite. Now you want them to have a sense that, you know, this organization’s got it together and, you know, that they’re, they’re getting, you know, that they’re getting, you know, concise answers. And yet, not too much. So, you know, the assessors do want you to be successful as you’re, as you’re going through it. You know, but, but just be tactful in, in how you present, how you present information instead of saying, hey, we’ve got this massive problem and here’s why, you know, maybe instead, you know, you, you ask for their directional guidance, right, don’t, don’t expose the problem in as much as gain their insight on the topic. So, you know, if, you know, instead of walking in and saying, hey, we’ve got this super sensitive data that it’s unencrypted and we store it in a place everyone can get to, one could take an alternative approach and say, hey, if we have sensitive data, then how should we be storing and controlling access to it? You know, and it’s just a, it’s a, it’s a slight difference, but what I found over the years is that it depends a lot on the person, right? You know, a lot of people are almost like too open, you know, too open for their own good. So, you know, if the more that you raise issues with the assessor, then the more they’re going to think that there’s a problem and the more they think that they’re going to need to dig and the longer your process is going to take. So, you know, don’t, don’t forget that, you know, the assessor is there to help you through the process and they’re not your enemy, you know, but they’re also being paid to be, you know, to evaluate the organization as a disinterested third party. So, you know, you can expect that they’re going to, you know, go in and do their due diligence.
So, and I appreciate that. Now talk to me about the prep for the annual onsite. This is something that gets a lot of run, I’m sure internally.
Sure. You know, certainly, you know, I’ve seen, I’ve seen organizations that have made the choice to literally walk into the onsite assessment. Absolutely unprepared, absolutely unprepared. I’ve seen, you know, key people like people that are central to the to the process on vacation. I’ve seen, you know, staff that didn’t have any idea we were even doing, you know, he were doing the assessment and the assessor was going to be walking around and talking to people asking questions. You know, I’ve seen where, you know, the assessor says, Hey, what can you show me blue policy? And it’s like, 1518 minutes later, you know, type it up. I’m pretty sure I know where it is. Hold on. I got to call three more people, you know, type of deal. But long story short, general disorganization, lack of attention to detail, you know, the, you know, all of those things really fall into that kind of bucket of winging the onsite audit type of thing. I mean, you want to make sure that you’re ready for it, that you’re organized, that you, your key people are there, available immediately. Quite frankly, I usually tell people, you know, to make a game plan, because I’ve seen all sorts of wacky things happen when it comes to onsite. The assessor’s only in for it, you know, maybe, I don’t know, two days, three days, something like that. And all of a sudden, you know, so and so who’s kind of critical to the, you know, critical to the assessment process, is in an accident the morning of the first, you know, first day of the onsite and is in the hospital. So, you know, other ways to work around things, sure. But if you walk in and you say, okay, well, I know that Mary is my point person for this. But if they’re not here, then I know that I can go to Bob and Frank, I’m going to give them a heads up. Hey, we’re got the audits coming next week. These are the types of topics and we talk to them, Mary, about you’re her second, you know, etc. And then that way, you’ve kind of got it all, you know, got it all lined up. Certainly making sure that you know, all your evidence that you’ve got it in at your fingertips, you can readily find it, you know, we’re not going, you know, scouring for it, etc. I mean, ideally, having all of that in a central repository, so you can search for things, readily find things, know where it’s at, etc. That’s all, you know, super, super, super helpful when it comes to the, you know, kind of the prep for the annual outside.
So people love to joke about it, but are assessors really human or are they cyborgs? I gotta know this question, I gotta know this.
The reality is is that they are human. I mean, one of the things that you know, for anybody that’s been through an assessment, they know how, you know, kind of how intense it is for them going through as participants. But a lot of them, what they don’t think about is the fact that that onsite assessment, you know, and I’ve done a lot of these and there was a day when I literally would go and pick up two energy drinks so that I could have one in the middle of the morning and one in the middle of the afternoon, just to, you know, kind of keep the party moving, you know. It is astronomically intense for the assessor.If you think about it, right? You know, for each of the participants, they got to come in and talk for 20 minutes or maybe a half an hour or maybe even a whole hour, right? The assessor’s got to be there for what, six, eight, nine hours? Solid. And during that period of time, you know, they’re constantly thinking things through, connecting dots, keeping a whole bunch of stuff that they’re talking about with the company they’re talking to in their head. They’re running at, you know, kind of, their brain is at full speed. And on top of that, you know, they’re in a strange town. They’re away from their family. They’re, you know, working intensely with people they may know over years, but most likely don’t, you know, tired from travel. They’re sleeping in a hotel bed, you know. So, you know, the reality is a lot of the, a lot of the organizations that I’ll see, especially the newer ones, what they’ll do is they’ll almost, it’s kind of funny because they’ll almost kind of try to structure it, right? Well, if we only give the assessor like this period of time, then they’re going to not be able to run into as many issues and blah, we’re just going to go breeze through it. But the reality is, is that if you try to jam the assessment into a short period of time or you build in all of these like delays in the, you know, in the schedule, just a burn clock time, you know, the reality is, is that you’re going to, you’re just going to make it more stressful. You’re going to end up with a plethora of things that are going to be follow-up items. So, you know, what are some of the things that, you know, that these organizations should do? You know, when they put, when they work with their assessor to put together the schedule, build in time for breaks, you know, if I could give them a recommendation, I’d say 15 minutes every hour, you know, type of thing, or 10 minutes every hour, you know, just build that in so that we’ve got breaks within the schedule. They can take a minute, they can, you know, whatever, make a call, you can go sort something out, use the restroom, whatever it may be. But, you know, build those breaks in, don’t rush the process, you know.Instead of trying to compress the schedule, I’d recommend add another half a day just because, you know, make sure you’ve got plenty of time to be able to get through everything that you need, especially in that first year, you know, as the assessors get getting their arms around things.
That’s huge. You know, providing some type of a breakfast in the morning, you know, making sure that you’re organized with, you know, with meals to eat, you know, as they’re going through each day. You know, a lot of folks will kind of take the, take the assessors out for lunch. Again, it’s another ploy that I’ve seen companies going through their compliance assessment that they think they’re all smart, you know, but they’ll, oh, we’re gonna take them out to this amazing lunch, you know. And meanwhile, they like literally evaporate three and a half hours, right in the middle of the day for lunch, you know. And instead I’d recommend have it lined up so that you’ve got food delivered and whatnot. Everybody sit down at that midday point, get the team together to just sit down and chat with the assessor, talk about stuff that doesn’t have anything to do with the assessment, get to know them a little bit, you know, and whatnot. And certainly bringing the food in for lunches, that means I can go from, you know, whatever my, you know, I can finish up my meeting at 11.50, you know, we can sit down, have the team lunch, everybody gets some food, which they’re happy, you know, the people on the team are happy about, and then get right back to it, you know. But give them that time. And then, you know, the last recommendation is make arrangements. I mean, depending on the organization’s culture, some of them don’t want to do this. And that’s fine. But if your organizational culture doesn’t prohibit it, you know, frown upon it, then make arrangements to treat the assessor to a dinner out with the, you know, with the execs. It doesn’t have to be at, you know, the best steakhouse in the entire city and, you know, that type of thing. You know, just, you know, my recommendation for dinners with the assessors, you got to remember, these guys and girls are traveling constantly, right? So they could readily have gone to every single major restaurant chain known demand. Pick out a place that is local to your city that has some, you know, has some good food. It doesn’t have to be $100 or $200 a plate. You know, just pick something local, something local that they’d like, maybe have two or three options like that. That’s usually a, you know, kind of a really good idea for going through and kind of handling the evening event with the executives.
Okay, we’ll turn in the page a little bit. Talk to me about some of the mistakes regarding like evidence storage.
Well, one of the biggest mistakes that organizations will make is storing their evidence, using their assessor’s system as their system of record. And what I mean by that is that, depending on what you’ve worked out with your assessor, in some cases, the assessor’s fine with using whatever system you’ve got. In some cases, the assessor’s going to mandate their pricing revolves around using their systems, that type of thing. But don’t just use the assessor’s system. And the reason why is that, if you think about it, that’s a repository for who did what, what did they actually deliver, all that fun stuff. It may look super pretty when it goes into the assessor’s system, but you don’t know what’s going to end up happening down the road. What happens if your favorite assessor at Fill in the Blank company has, whatever, gotten reallocated to a different division and no longer does those assessments, left the company, whatever it may be, moved up to middle management, and now is no longer your primary point person type of thing, or worse yet, moved to upper level of management, right? You don’t know what it is that’s going to happen as you’re having the interchange with your assessor. So you may get jaded. You may become unhappy with the firm you’re working with, that type of thing. And so as a result, you must make sure you’ve got it. Now, the one red bottle that I’ve heard on this is, oh, well, the assessor can just go ahead and punch a button and give us an extract from their system. Do you have any idea what an absolute garbage bag it’s going to be when the assessor punches the one button to rule them all to generate a zip file that basically dump trucks all of your crud into whatever format they decided would be appropriate? It’s like you need to have continuity. You don’t want to rely exclusively on those assessor systems. So this is your information, not theirs. You’ve got to remember, they’re a vendor to you. And part of your continuity and your compliance program means that you want to make sure that you have it buttoned up for your company and then figure out how do I play in the sandbox with the assessor systems type of thing. So I would strongly recommend that organizations have their own system for managing their compliance and leverage that in concert with their assessor as they’re going through their process. In the best case scenario, you’re using a system that you can share the information and workflow the information in your system directly over and into the hands of the assessor. That’s kind of your best case scenario where everybody’s working from the same sheet of music. But the important part is the organization that’s going through compliance, make sure you’re licensed for fill in the blank software. That way, it doesn’t change. You’re not dealing with the dump truck of files and blah, blah, blah, blah, blah. You’ve got everything at your fingertips for your purposes.
That’s a good shot. What about an organization’s approach to the annual assessment itself?
So first and foremost, make sure that you’re treating, well, not make sure you’re treating, but a lot of organizations will treat the annual assessment as an annual event. And what I mean by that is that there’s many companies that need to meet kind of compliance standards. For many of these companies meeting compliance standards, that annual third-party audit kind of features on Mad Scramble to stumble across the finish line. It may have been chaotic, but it’s wrapped up at that point in the game. Everybody kind of pats themselves on the back. Maybe we go out to lunch. Maybe we throw a hoof. We made it through compliance party. And then everybody goes back to sleep until the next annual assessment.And that’s basically the problem is that for those organizations that go through those 18 dimensions of hell, et cetera, you’re making a lot of assumptions. You’re making a ton of assumptions. You’re making assumptions that, and this sounds dumb as blazes, but I literally have answered some of these questions, but I had one organization that said to me, oh, so do you mean that the quarterly vulnerability scans that were obligated to do that you have to actually do those each quarter? Yeah, yeah, and that’s why they called it quarterly vulnerability scanning. And I’ll give you three guesses when daily log reviews need to be done. The bottom line is that you go into these, you go into these annual engagements and the assessor is gonna start, hey, hey, go throw me your quarterly scans. I wanna see evidence from these 17 days through the year that you did your daily log review type of thing. And if the only time that you’re finding out that there’s a problem is when you’re sitting right in front of your assessor, well, that’s just the worst time to possibly do it. So, The recommendation here is that maintain your compliance in an ongoing, like in the TCT portal, we call it operational mode, which basically takes a particular engagement or a particular track and it splits it out into all of its component pieces. What are all the things that I need to be doing quarterly or sooner? So quarterly, monthly, weekly, daily, right? What are all of those things that need to be done on a periodic basis through the year? And then each quarter, you go in and you go, okay, I’m gonna go and make sure I’ve got the evidence for this, the evidence for that, et cetera. For organizations that do that, there are several benefits that come into play. Number one is that if you think about it, if you have some type of a massive problem with your quarterly or your semi-annual items, then you’re now discovering those at the end of quarter one of your compliance run, or you’re discovering those at midpoint of your compliance run. You’re not finding out about them when the assessors ask for evidence you don’t have, which has happened more times than I can count, and having to really honestly answer some tough questions, right?
What do you mean your quarterly vulnerability scans aren’t done? When was the last quarterly vulnerability scan? They’ll start digging in. So number one, if you’re a company in the security and compliance space, you’ve got an obligation to keep this together. You’re not doing it for, well, hopefully you’re not doing it for fun for a checkbox. You actually care about security and compliance. But the reality is that all the way around, staying on top of it, discovering things early, collecting that evidence as you’re going through the year, not only does it help to protect the company, not only does it help to make things a heck of a lot easier at the end of the year, and you’re not forced to answer some tough questions, but the added bonus is, and we were talking about it a minute ago, right? If your assessor is using the same, the same compliance management system as you are for managing engagements, guess what? Now they’re seeing evidence that, hey, this company’s all over it. They’re loading up all their Q1 stuff. All their evidence is right there, et cetera. I can go in and look at it if I’d like to, that type of thing. That’s a huge, huge plus. That gives the assessor kind of a great sense that this organization has it together. They’ve taken it seriously. They’re not whitewashing, whitewashing the process, and honestly, the mitigation of risk. For me now, I mean, you gotta keep in mind, total compliance tracking goes through its own annual level one PCI compliance audit. Oh, you can be rest absolutely assured that we’re going through each quarter, collecting our evidence, filtering off to the assessor, et cetera. Oh man, I’ll tell you what, that makes things so much better. So much better. Honestly, it’s like a breeze when you get to the assessment. It’s more about kind of going through, answering their questions, things along those lines, but now I know as a leader at TCT, I know I’m not gonna be stepping on landmines right in front of the assessor. And that’s about the last thing you want.
No, and that’s huge. So any parting thoughts and shots on this, I feel like you’ve done a pretty good job in terms of covering the ins and outs, but tell me, is there anything we’re missing?
Well, just in general, especially for those organizations that are, I don’t know, kind of new to the space, there’s certainly things that they can do and make better and make improvements on to make their lives easier, et cetera. I just hope that kind of the directional guidance that we can give to folks dealing with compliance through these podcasts, I just hope that it provides them with some benefit. I’ve really seen a lot of war wounds, if you will, going through, especially, kind of prepping prepping clients for assessments and kind of seeing how it’s worked. Quite frankly, a lot of the features, which is kind of the interesting part about the TCT portal, a lot of the functionality that’s in the TCT portal, it’s there for a reason. It’s there because why do we have operational mode in the TCT portal? Because Adam is showing up to annual on-sites and answering the questions around GD, we really use huge vulnerability scans quarterly, type of thing. It’s built with purpose from experience and companies can really benefit if they kind of take that approach of that, especially the proactive nature to their compliance. It’s just all the way across the board. Everything smooths out because now I’ve got far earlier insight. And honestly, the assessor, if you think about it, and I’ve seen this several times where the company has been struggling and struggling and struggling to get to the point where they’re, quote, compliant. They get compliant and they throw the party and of course we immediately go roll them right into operational mode, okay, three months from now we’re gonna start collecting all this stuff. Here’s all the things you need to be doing and here’s how often you need to be doing them, kind of getting them all prepared and everything. And sure enough, you get to Q1 and you find out that despite the fact that you did everything under the sun, you possibly could to get everybody stage for success, that somebody missed something through the period. But when you get to that first quarter, you make those adjustments. What I would typically do is I’d go back, I would get things worked out with the organization going through compliance, and then I’d turn back around to the assessor and I’d say, hey, I wanna give you a heads up. I wanna give you a heads up. We had a problem with this. This is what we discovered. Here’s how we addressed it. This is what we did to fix it. These are the mechanisms that we put in place to make sure this doesn’t happen again. We’ll evaluate again once they get to Q2, but I’m sure they’re gonna be in a lot better shape. If I walk in and I say that to the assessor, it actually makes them feel great because now they know that not only is this company doing what they’re supposed to be doing, but they’ve recognized areas that they’ve had issues. They’ve made adjustments to their day-by-day process and procedure, have made improvements to that end, and poof, now I can see a model for this company that is heading in the right direction. I know even if something goes boom, then I know they’re gonna be on it.
They’re gonna take it seriously. They’re gonna make the right adjustments. It really makes that assessor feel good.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
