Life Is A Checklist of Checklists

Daily Chaos, By Design

We all know how security compliance works. It’s one of those processes no one dares to disrupt. As InfoSec leaders, after having our morning coffee, we quickly move to our emails, going through those routinely generated reports, which leads us to believe that the procedures and controls are still in place and are in good shape.

Later in the day, we sit with the network administrator or SOC team member and ask them to present us with some screens of their configurations and dashboards. In order to document the current status, we take a few screenshots, export some reports, and shift those right to our mailbox.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Back from those meetings—after lunch with a colleague—we close the office door, sit in front of the computer, and start summarizing everything; the meetings, our conclusions, the findings versus the organization policy and procedures, and perhaps add one or two of those screenshots or reports we have. 

The last mile involves our recommendations which we share via email with our good old “relevant stakeholders” and ask them to acknowledge and provide feedback. The best part of every email is the check-in due date for that gap we just discovered.

Long story short, just another day in the life of a typical compliance manager.

The World Is Changing—What About Compliance?

Guidance, methodology, and structure are great. They help us achieve a higher level of accuracy and predictable results. Consequently, we have been trained to think of InfoSec compliance as a bunch of framework-specific controls and pieces of evidence to be collected and analyzed towards its audit. 

Back in the old days, this was the best way to enforce organizational policies and ensure the company mitigated its risks.

But the world is changing and technology empowers us in every aspect. Well, almost every aspect… InfoSec compliance hasn’t changed much, yet.

Consequently, the immediate drawbacks we face on a day-to-day basis are:

  • A control may be unfulfilled a week after the audit, but unfortunately you don’t know about it
  • The modern business environment is chaotic and every department has a growing number of tools in place 
  • When we finally do find the right platform-specific screen we need, the data is barely enough to really trust the control
  • The data is outdated the moment we get it, and no one wants to beg for new pieces of evidence every day

I consulted with my professional network and found out how compliance managers in different companies currently overcome some of these challenges:

It turned out that companies with mature compliance functions usually build and maintain their internal “evidence repository”, aka, a shared folder on Dropbox with the “latest” evidence of each type.

And the others? They simply surrender and try to survive the chaos on a daily basis. Working in a checklists-based flow can sometimes make our lives easier—but for modern enterprises in the cloud era, InfoSec compliance checklists are actually a huge burden, impeding the way to a scalable compliance program.

You Can Bridge Gaps, Not Craters

Based on checklists and single point-in-time snapshots, InfoSec compliance audits have led us to a dark corner.

Your work is stressful, largely because you know that compliance is spotter from the management; they want us to be able to satisfy any potential customer, but don’t understand how bad every audit is to the organization. Audits are every company’s nightmare since audit preparation requires every stakeholder in the organization to “donate” their time and produce some vague evidence, yet again.

The tragedy in this story is that these same stakeholders find those “send me a screenshot of X” tasks to be a huge burden. They don’t have KPIs for satisfying those queries, nor do they believe they can be trusted or actually help anything (besides for satisfying the auditor).

With zero ROI, InfoSec certification is yet another “traditional” requirement of B2B sales that the company struggles with.

Oh, and the “highlight” of every audit is the endless ping-pong between you and the auditor, where you have to once again describe the structure of the company and its architecture so they’ll understand why this piece of evidence is the relevant one.

Compliance isn’t a Nightmare Anymore

“What’s the intuitive way you’d expect InfoSec compliance to work? Please describe the end-to-end flow you wish you had.” This is what we say to customers on our first call. You’d be surprised, but as tech-savvy SaaS and cloud-oriented people, we all share the same vision of compliance-utopia.

We broke down the properties of this “utopia” into tiny building blocks and realized that it could actually be achieved in a straightforward way.

Truth be told, the “a-ha” moment is consistent; it happens whenever we show potential customers how those building blocks complement each other to create a simple and intuitive model.‍

Contact us to start enjoying compliance. No kidding.

Latest Articles

Making Cloud Compliance Easy

The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
16th October, 2023
How to Free Yourself (and Core Teams) from Ungrateful Compliance Work

What is the most annoying thing about compliance work? Out of 150 security leaders surveyed on Pulse, 41% pointed out their struggle for cooperation from core teams in producing evidence needed for InfoSec audits. In other words, compliance work is ungrateful and unpopular. Cloud compliance in hyper-growth companies poses a significant challenge in terms of […]

Shalom Carmel Chief Information Officer at GlobalDots
8th November, 2021
Webinar: How to Free Core Teams from the Nuisance of Compliance

Abstract In most companies, InfoSec compliance is a necessary evil, creating lots of bureaucracy and grunt-work for core teams like Sales and Development. It is yet another way in which security and its by-products slow down the business. Growing, cloud-native companies have zero tolerance to whatever slows them down. Therefore, a security stack that can […]

Eduardo Rocha Senior Sales Engineer and Security Analyst
25th October, 2021
The Complete Guide to SOC 2 Automation

As important as it is to achieve SOC 2 compliance, the manual work involved, along with all the minutia required, often leaves CISOs and Compliance leaders feeling overwhelmed at the prospect of preparing for audits.  But preparing for, and ultimately achieving, SOC 2 compliance doesn’t need to be complicated or overwhelming. Today, organizations are starting […]

Shalom Carmel Chief Information Officer at GlobalDots
16th June, 2021

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser


    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni


    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services