We have a saying at TCT: managing compliance sucks. Fortunately, there are things you can do to make it suck less. TCT Portal was created to take a lot of the suckiness out of managing compliance, and it has made a HUGE difference in the lives of our clients. But there’s a human element to compliance, too — there’s your Assessor.
Assessors have a certain mythology about them that hovers somewhere between Darth Vader and Dirty Harry. They’re scary, they’re out to get you, and they’re merciless.
The fact is, your Assessor wants you to succeed, and they aren’t looking for opportunities to fail you. Believe it or not, you can actually have a positive and rewarding experience with your Assessor, if you avoid some of the most common mistakes clients often fall into.
Whether this is your first time going through a compliance cycle or your tenth, you might be surprised to discover the gaffes you’ve been making without realizing it. Watch out for these seven common mistakes to avoid with security and compliance Assessors.
Engaging an Assessor Too Late
Your stuff doesn’t have to be perfect before you present it to the Assessor. You don’t need to have all your stuff together and completely buttoned up the first time you go to the Assessor. Often, companies think they only have one shot to get it right, and the Assessor will make a pass/fail judgment with no chance for a do-over. That’s not how it works. It’s a process.
If you start working with your Assessor early on, you can get their buy-in. They’ll be on the same page with you and understand what you’re doing and why. If you need to paint a bit outside the lines, you can talk through it and justify it before the on-site audit. You can get them on the same page to understand your approach and why it makes sense.
You don’t want to pop out of the woodwork at the last minute and present something that they aren’t already on board with. It actually creates more issues than it solves.
Instead, start talking with your Assessor early on, right from the start of your compliance project. Ask basic questions and get general directional guidance. “Are we on the same page? Are we heading in the right direction? Here’s what we’re thinking, does it make sense?”
Hiring an Assessment Firm Based on Price
Don’t ever hire the most affordable firm. Ever. Your Assessor isn’t a commodity — cheap providers provide crappy service, and it will end up biting you in the butt. I’ve seen clients go for the cheapest they could find, and I know from experience that it usually doesn’t go well for clients.
Extremely high-priced firms aren’t worth the money either, because they’re grossly overcharging. Instead, find a good, reputable assessment firm that’s priced somewhere in the middle.
Someone in your network has an Assessor they’re happy with. Reach out to your connections, talk to people, ask questions about their experiences. Solicit recommendations. Hopefully, you’re working with a security and compliance consultant — ask them who they’d refer. Consultants are well connected, they’ve seen Assessors in the field, and they know the firms that would be a good fit for you…and which ones to avoid.
Presenting Issues Tactlessly
Assessors are there to assist and help you through the assessment process. They aren’t looking to give you an “F,” they want you to be successful. That said, you still need to be tactful when dealing with an Assessor. There’s a difference between saying, “We have this super-sensitive data that’s unencrypted and we store it in a location that anyone can get to” and saying, “If we have really sensitive data, how should we be storing it and controlling access to it?”
It’s the difference between leading them to a very specific problem in your environment — which will only lead to more probing questions — and simply getting the insight you need.
Don’t forget that while the Assessor is there to help you through the process, they’re also there to evaluate you as a disinterested third party. They’ll do their due diligence.
Winging It with the On-site Audit
I’ve seen companies walk into the on-site assessment completely unprepared — key people on vacation, staff uninformed of the assessment, documentation not within reach, or general disorganization and lack of attention to detail.
Make sure key people will be around and available at a moment’s notice. Have all of your evidence at your fingertips and in order — ideally in a central repository — so you can quickly grab it when needed.
Forgetting the Assessor Is Human
An on-site assessment is astronomically intense for an Assessor. They have to be “on” from the moment they arrive to the moment they leave. They’re constantly connecting dots, keeping a multitude of things in their head, running their brain full-speed. On top of that, they’re in a strange town away from family, working intensely with people they don’t know, feeling depleted from travel, and sleeping in a hotel bed.
Many clients pressure Assessors (even unintentionally) to squeeze their engagements in as short a time as possible. Give your Assessor the time they need to do their job without going non-stop.
- Build in plenty of times for breaks.
- Don’t rush the process. Stretch the schedule out half a day to create more breathing room.
- Provide bagels and juice in the morning.
- Arrange for your executives to treat the Assessor to a dinner out (nothing extravagant).
Storing Your Evidence on the Assessor’s System
Every assessment firm has a system they like to use to store their stuff in. It makes life easy for the Assessor, which is fine. But if you’re relying on their system to keep your documents organized, you no longer control your own stuff. If things go sideways with the Assessor, or you change firms, you’re up a creek without a paddle.
You never want to rely exclusively on the systems of your Assessor. This is your information, not theirs. Make sure you have your own robust, effective compliance system — one that’s organized in a way that fits your organization and your needs. One that you can share with the Assessor you’re working with, rather than the other way around.
Treating Your Annual Assessment As an Annual Event
For many companies that need to meet compliance standards, the annual third-party audit features a mad scramble to stumble across the finish line. It may have been chaotic, but it’s done. You can pat your team on the back, take them out to lunch, and put compliance and security requirements in the rear view mirror for a while.
And that’s the problem. You set it and forget it, and there’s a big pile of chaos waiting for you when you get ready for next year’s audit.
On the other hand, if you’re maintaining compliance in an ongoing Operational Mode throughout the year, you can provide data, inputs, checkpoints, etc. to your assessment firm along the way. This shows the Assessor that you’re taking security and compliance seriously all year round, and it gives them confidence that you’ve got your act together.
And that makes for a much easier on-site audit next year.
Your compliance Assessor isn’t Dirty Harry or Darth Vader. But avoid these common client mistakes, and you’ll have a better chance at making managing your compliance suck a lot less.
Get equipped with insider expertise
Subscribe to the TCT blog