4 (Compliance) Horror Stories

It’s that time of year again, when golden-orange leaves crunch underfoot, the days get shorter, the nights get colder, and ghouls and ghosts roam the streets.

It must be time for Halloween!

In InfoSec Compliance, it seems that everyone has a horror story to tell, from veterans of the field to newbies. In the spirit of this ghastly day, we bring you 4 short anecdotes (okay, groan, we know) from Compliance professionals. So sit back, grab a mug of pumpkin spice hot cocoa, and enjoy as we explore some spooooky (well alright, not so spooky, but definitely frustrating) Compliance horror stories.

Horror story number 1 - SOC 2 Scream - M, a GRC specialist at a major corporation, was tasked with leading SOC 2 preparations for one of the company’s many business units. He and his team had been collecting evidence and perfecting controls for months, right down ‘til the final moments. In the prep process, he stored some evidence locally on his computer and intended to move it to their shared folder. Long story short, he forgot. And on the morning of the audit, his computer died (well it is a halloween story, something had to die). Now, just moments before the audit, he was left without that crucial evidence.

Horror story number 2 - The Running (R&D) Man - K, a Compliance manager at a growing tech startup spent the better portion of her days chasing her colleagues for evidence. While no one was particularly forthcoming, she found herself hounding the head of R&D for ages. “Don't worry, I’m getting it to you soon,” he would say. Every day. For 3 months. He finally delivered the evidence just a few days before the audit—and to K’s great dismay, his “evidence” was all out of date and missing key pieces of information like usernames and ticket IDs.

Horror story number 3 - Send in the (Evidence) Clones - Another horror story involving K. ‘Twas the night before their ISO 27001 audit and K’s team was putting the finishing touches on their evidence. Then K noticed two pieces of evidence that correlated to the same control. But which was the imposter? How could this have happened? She remembered that after she received control evidence from the head of HR, it seemed like a key piece had been omitted. K requested from HR to send the “missing” evidence, but now here she was, with two pieces of evidence, and no way of knowing which one was the more accurate one.

Horror story number 4 - The (Auditor) Monster Mash - D, a Compliance manager at a hyper-growth company had already been through a few years worth of SOC 2 audits with one auditor. They had a great working relationship but on the day of the audit, that auditor fell ill and the firm sent a different auditor in her place. Sometimes, different can be good; but like the evil substitute teacher who makes you desperately wish your old one would return, this one was, well, a monster. In fact, she seemed to be truly gunning for D and her team; for example, while their regular auditor always asked for 10 samples, this new (monster) auditor asked for 5 more, since the other 10 reviewed ones were “too perfect” for her liking.

Concluuuuusion

If the prospect of experiencing your own InfoSec Compliance horror story keeps you up at night, consider Compliance automation. It’s the key to curbing nightmares like the ones above and is instrumental in enabling companies to drastically reduce the time and resources invested in Compliance activities.

With automation, you can transform Compliance activities from a peril-filled trick into a true treat.

‍