30th May, 2021 4 Min read
Book a Demo
We all know how security compliance works. It’s one of those processes no one dares to disrupt. As InfoSec leaders, after having our morning coffee, we quickly move to our emails, going through those routinely generated reports, which leads us to believe that the procedures and controls are still in place and are in good shape.
Later in the day, we sit with the network administrator or SOC team member and ask them to present us with some screens of their configurations and dashboards. In order to document the current status, we take a few screenshots, export some reports, and shift those right to our mailbox.
Reduce your AWS costs by over 50%
Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.
Back from those meetings—after lunch with a colleague—we close the office door, sit in front of the computer, and start summarizing everything; the meetings, our conclusions, the findings versus the organization policy and procedures, and perhaps add one or two of those screenshots or reports we have.
The last mile involves our recommendations which we share via email with our good old “relevant stakeholders” and ask them to acknowledge and provide feedback. The best part of every email is the check-in due date for that gap we just discovered.
Long story short, just another day in the life of a typical compliance manager.
Guidance, methodology, and structure are great. They help us achieve a higher level of accuracy and predictable results. Consequently, we have been trained to think of InfoSec compliance as a bunch of framework-specific controls and pieces of evidence to be collected and analyzed towards its audit.
Back in the old days, this was the best way to enforce organizational policies and ensure the company mitigated its risks.
But the world is changing and technology empowers us in every aspect. Well, almost every aspect… InfoSec compliance hasn’t changed much, yet.
Consequently, the immediate drawbacks we face on a day-to-day basis are:
I consulted with my professional network and found out how compliance managers in different companies currently overcome some of these challenges:
It turned out that companies with mature compliance functions usually build and maintain their internal “evidence repository”, aka, a shared folder on Dropbox with the “latest” evidence of each type.
And the others? They simply surrender and try to survive the chaos on a daily basis. Working in a checklists-based flow can sometimes make our lives easier—but for modern enterprises in the cloud era, InfoSec compliance checklists are actually a huge burden, impeding the way to a scalable compliance program.
Based on checklists and single point-in-time snapshots, InfoSec compliance audits have led us to a dark corner.
Your work is stressful, largely because you know that compliance is spotter from the management; they want us to be able to satisfy any potential customer, but don’t understand how bad every audit is to the organization. Audits are every company’s nightmare since audit preparation requires every stakeholder in the organization to “donate” their time and produce some vague evidence, yet again.
The tragedy in this story is that these same stakeholders find those “send me a screenshot of X” tasks to be a huge burden. They don’t have KPIs for satisfying those queries, nor do they believe they can be trusted or actually help anything (besides for satisfying the auditor).
With zero ROI, InfoSec certification is yet another “traditional” requirement of B2B sales that the company struggles with.
Oh, and the “highlight” of every audit is the endless ping-pong between you and the auditor, where you have to once again describe the structure of the company and its architecture so they’ll understand why this piece of evidence is the relevant one.
“What’s the intuitive way you’d expect InfoSec compliance to work? Please describe the end-to-end flow you wish you had.” This is what we say to customers on our first call. You’d be surprised, but as tech-savvy SaaS and cloud-oriented people, we all share the same vision of compliance-utopia.
We broke down the properties of this “utopia” into tiny building blocks and realized that it could actually be achieved in a straightforward way.
Truth be told, the “a-ha” moment is consistent; it happens whenever we show potential customers how those building blocks complement each other to create a simple and intuitive model.
Contact us to start enjoying compliance. No kidding.
The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]
What is the most annoying thing about compliance work? Out of 150 security leaders surveyed on Pulse, 41% pointed out their struggle for cooperation from core teams in producing evidence needed for InfoSec audits. In other words, compliance work is ungrateful and unpopular. Cloud compliance in hyper-growth companies poses a significant challenge in terms of […]
Abstract In most companies, InfoSec compliance is a necessary evil, creating lots of bureaucracy and grunt-work for core teams like Sales and Development. It is yet another way in which security and its by-products slow down the business. Growing, cloud-native companies have zero tolerance to whatever slows them down. Therefore, a security stack that can […]
As important as it is to achieve SOC 2 compliance, the manual work involved, along with all the minutia required, often leaves CISOs and Compliance leaders feeling overwhelmed at the prospect of preparing for audits. But preparing for, and ultimately achieving, SOC 2 compliance doesn’t need to be complicated or overwhelming. Today, organizations are starting […]
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.