Compliance

Why You Need Automation In Your Audit Preparation | anecdotes

Esther Pinto
March 28, 2024
Read why automation in your Compliance audit preparation is so important, with anecdotes

With nearly a decade in Information Security, I've prepared for just so many audits. And in my experience, it always started and ended with the same two feelings - exhaustion and frustration. 

Why do I say exhaustion? I'm sure most of you can relate; Preparing for an audit can seem unproductive and repetitive and you don’t always understand why you're doing this work. There is always missing personnel and it can be difficult to increase your security team headcount with good people, and so you wind up doing a few people’s job.

As for frustration, it’s because the compliance ecosystem is stuck in the dark ages and hasn't evolved itself as other ecosystems have in recent years. It’s sort of bittersweet to see how Compliance’s big brother, cyber security, is enjoying an eruption of innovation, while Compliance is being neglected, causing InfoSec people, such as myself, to feel ever so mildly frustrated. There is this constant feeling of disbelief that we're still using the same old tricks and techniques we used back before the cloud was a thing. I just cannot agree with the idea that everything in this highly sensitive ecosystem needs to be clumsy, manual and time consuming, with almost zero automation.

We’re in 2021; We made a COVID vaccine in less than a year, can’t we figure out how to remediate the Compliance burden?

Let’s look at SOC 2 as an example.

On average, it can take several months to achieve the certification. It depends on the type of the report, but let’s say the average is 4 months - that’s a third of a year!  
And that’s only one certification. Imagine what it takes to further comply with ISO 27k and PCI. Who said scale? 

As an InfoSec leader, I’m aware of the facts and the burdensome manual work involved in achieving—and continuously meeting—Compliance. Here are my top 3 pain points that can be easily solved when using the right automation technology.

1. You cannot achieve a SOC 2 certification alone

When I worked for AppsFlyer, during our audits, I worked with many stakeholders from various departments such as Support, QA, DevOps and more. There is no way I could collect all the evidence on my own, as I didn’t have access to some technologies and environments. It actually follows access control best practices - the “need-to-know-basis” principle. But this inherently creates dependencies on others. With automation, you’ll still need the help of the same stakeholders but only once, during connection (which should take only a few minutes when working with agentless technology). From that point on, there’s no more dependencies (so yes, now is the time to scale your certifications).

2. Screenshots aren't always accurate and may be insufficient 

How many times have you felt like you collected all the needed evidence prior to the audit but when it came down to “money time”, those screenshots just weren’t accurate or sufficient enough? Well, in my experience, it happened too many times, to too many companies.

It’s like coming to a university exam when you find out you studied from the wrong book. 

With automated data-to-requirement mapping and collection capabilities, you know you’ll always have the information you need at your fingertips, whether it's for an assurance vs attestation vs audit, and the data will always fulfill the requirements.

3. There’s no single source of truth

I’m tired of saving screenshots in folders, and the back and forth with other stakeholders to make sure we’re working on the same files. I’m fed up with the shared folder maintenance and ensuring that any piece of evidence I’ve got is always up to date and that everybody uses the most updated files. Do you share this same sentiment?

Enough with screenshots, let’s move to automation 

So what if, instead of doing all of the above, you could just have all your most up-to-date evidence, organized and mapped in real time? Even when working with the auditor, and in one centralized place for optimal collaboration and to avoid audit fatigue? 

Honestly, it may sound like a far off pipe dream—but with automation, this state of simplified Compliance can actually be achieved.

Compliance is an integral part of the information security life cycle, but for some reason, in terms of innovation, it’s still behind (actually, was behind). Now however, it’s become clear that automation is a must. 

Today, as companies deal with the various frameworks and their requirements, as well as a lack of people-power, the benefits of automation have become more apparent than ever. It will make our jobs as InfoSec and Compliance leaders so much easier and more productive, and moreover, will enable us to meet new Compliance goals and support business expansion. 

So now that we all understood the pains of having manual work, let’s move to the automation part. What type of automation do you need? How can automation help you achieve the ״always aware״ state? What is automated data evidence? I’ll tell you all about it in my next blog posts...

Esther Pinto
Information Security and GRC expert with a decade of experience. Believe in the power of using your voice to make a change. Head of Compliance Innovation & BizDev at anecdotes.