figures
Blog

Life Is A Checklist of Checklists

Guest Writer
30.05.2021
image 4 Min read
Compliance Automation

Daily Chaos, By Design

We all know how security compliance works. It’s one of those processes no one dares to disrupt. As InfoSec leaders, after having our morning coffee, we quickly move to our emails, going through those routinely generated reports, which leads us to believe that the procedures and controls are still in place and are in good shape.

Later in the day, we sit with the network administrator or SOC team member and ask them to present us with some screens of their configurations and dashboards. In order to document the current status, we take a few screenshots, export some reports, and shift those right to our mailbox.

Back from those meetings—after lunch with a colleague—we close the office door, sit in front of the computer, and start summarizing everything; the meetings, our conclusions, the findings versus the organization policy and procedures, and perhaps add one or two of those screenshots or reports we have. 

The last mile involves our recommendations which we share via email with our good old “relevant stakeholders” and ask them to acknowledge and provide feedback. The best part of every email is the check-in due date for that gap we just discovered.

Long story short, just another day in the life of a typical compliance manager.

The World Is Changing—What About Compliance?

Guidance, methodology, and structure are great. They help us achieve a higher level of accuracy and predictable results. Consequently, we have been trained to think of InfoSec compliance as a bunch of framework-specific controls and pieces of evidence to be collected and analyzed towards its audit. 

Back in the old days, this was the best way to enforce organizational policies and ensure the company mitigated its risks.

But the world is changing and technology empowers us in every aspect. Well, almost every aspect… InfoSec compliance hasn’t changed much, yet.

Consequently, the immediate drawbacks we face on a day-to-day basis are:

  • A control may be unfulfilled a week after the audit, but unfortunately you don’t know about it
  • The modern business environment is chaotic and every department has a growing number of tools in place 
  • When we finally do find the right platform-specific screen we need, the data is barely enough to really trust the control
  • The data is outdated the moment we get it, and no one wants to beg for new pieces of evidence every day

I consulted with my professional network and found out how compliance managers in different companies currently overcome some of these challenges:

It turned out that companies with mature compliance functions usually build and maintain their internal “evidence repository”, aka, a shared folder on Dropbox with the “latest” evidence of each type.

And the others? They simply surrender and try to survive the chaos on a daily basis. Working in a checklists-based flow can sometimes make our lives easier—but for modern enterprises in the cloud era, InfoSec compliance checklists are actually a huge burden, impeding the way to a scalable compliance program.

You Can Bridge Gaps, Not Craters

Based on checklists and single point-in-time snapshots, InfoSec compliance audits have led us to a dark corner.

Your work is stressful, largely because you know that compliance is spotter from the management; they want us to be able to satisfy any potential customer, but don’t understand how bad every audit is to the organization. Audits are every company’s nightmare since audit preparation requires every stakeholder in the organization to “donate” their time and produce some vague evidence, yet again.

The tragedy in this story is that these same stakeholders find those “send me a screenshot of X” tasks to be a huge burden. They don’t have KPIs for satisfying those queries, nor do they believe they can be trusted or actually help anything (besides for satisfying the auditor).

With zero ROI, InfoSec certification is yet another “traditional” requirement of B2B sales that the company struggles with.

Oh, and the “highlight” of every audit is the endless ping-pong between you and the auditor, where you have to once again describe the structure of the company and its architecture so they’ll understand why this piece of evidence is the relevant one.

Compliance isn’t a Nightmare Anymore

“What’s the intuitive way you’d expect InfoSec compliance to work? Please describe the end-to-end flow you wish you had.” This is what we say to customers on our first call. You’d be surprised, but as tech-savvy SaaS and cloud-oriented people, we all share the same vision of compliance-utopia.

We broke down the properties of this “utopia” into tiny building blocks and realized that it could actually be achieved in a straightforward way.

Truth be told, the “a-ha” moment is consistent; it happens whenever we show potential customers how those building blocks complement each other to create a simple and intuitive model.‍

Contact us to start enjoying compliance. No kidding.

Comments

0 comments

There’s more to see

slider item
Compliance Automation

How to Free Yourself (and Core Teams) from Ungrateful Compliance Work

Dror Arie 08.11.21

What is the most annoying thing about compliance work? Out of 150 security leaders surveyed on Pulse, 41% pointed out their struggle for cooperation from core teams in producing required evidence. In other words, compliance work is ungrateful and unpopular. Cloud compliance in hyper-growth companies poses a significant challenge in terms of business growth. Whether […]

Read more
slider item
Compliance Automation

Webinar: How to Free Core Teams from the Nuisance of Compliance

Li-Or Amir 25.10.21

Abstract In most companies, InfoSec compliance is a necessary evil, creating lots of bureaucracy and grunt-work for core teams like Sales and Development. It is yet another way in which security and its by-products slow down the business. Growing, cloud-native companies have zero tolerance to whatever slows them down. Therefore, a security stack that can […]

Read more
slider item
Compliance Automation

The Complete Guide to SOC 2 Automation

Dror Arie 16.06.21

As important as it is to achieve SOC 2 compliance, the manual work involved, along with all the minutia required, often leaves CISOs and Compliance leaders feeling overwhelmed at the prospect of preparing for audits.  But preparing for, and ultimately achieving, SOC 2 compliance doesn’t need to be complicated or overwhelming. Today, organizations are starting […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure