You might have seen our recent “I **** SOC 2” campaign.
With a billboard at Tel Aviv’s busiest junction and video ads in elevators across some of the city's largest office complexes, it made quite a splash. In fact, I think some of us here at anecdotes were almost caught off-guard by the degree to which the campaign resonated with compliance people.
But as someone who has spent nearly a decade in the Information Security field, I wasn't shocked at all.
That’s because SOC 2 and nearly every other framework out there can make our professional lives very, very challenging. Day in, day out, we worry about meeting all the tiniest details of up to 13 (!) frameworks in the average organization. Then once we've compiled all our evidence and all requirements have been met, it's time to book that dreaded audit. And guess what? Even simply booking the audit can be a giant pain in the backside. Between hectic schedules and things outside of our control (you know, like those pesky COVID lockdowns), finding the time in which to perform the audit can, in-and-of-itself, become a struggle.
Once we get to the audit, there’s the challenge of presenting full evidence. If evidence for a control is missing or otherwise incomplete, that sets off a ping-pong match, wherein the auditor requests more information and we scramble like cockroaches to fill it in. Then, we have to wait to find out if what we provided was sufficient or not—and hearing back from the auditor can take days. Then s/he requests more information, we fill it in, etc... and so it goes, and so it goes.
Here’s a tangible example of this at work; During an audit, while reviewing the lists of employees, access rights, etc., the auditor discovers a user for an employee who has left the company. This user used to be in DevOps, and the new DevOps user still has not replaced the old one's credentials from all over the platform. Now the auditor wants this to be remediated and new evidence backing this up must be presented and then approved. And this back and forth can continue on ad infinitum.
This last part creates two issues: First, the incessant back and forth further extends the process, making the road to becoming compliant longer and more arduous. Second, the newly requested evidence adds more digital clutter to the data already there, making it more complicated for the auditor to get to the critical information.
I’ve long wondered if there could be a better way to go about the audit process itself—what if instead of sending emails and sharing excel sheets, we could (metaphorically, of course) let the auditors into our minds and thought processes?
I’m talking about negating the need for face-to-face audits and their manual processes. Instead, we could establish an interactive workspace for both compliance teams and auditors. In this shared zone, the auditor would have access to the controls and evidence that have been reviewed and are ready to be audited, enabling them to spend the majority of their time on their own, exploring the controls and evidence, not confined by time and place. Then, after going through all the agreed controls and their correlating pieces of evidence, they could come back with a list of remaining questions via the platform.
The idea behind establishing one unified workspace is to give the auditor the visibility needed to understand the controls language of the organization and allow them to review the chosen evidence, together. Providing access to the control environment creates a bubble in which organizations can keep their own data but auditors can easily understand the specific controls and evidence.
In my book, anything that makes audits less frustrating is a step in the right direction. But giving the auditor the freedom to see straight into my environment, and on their own time (!), has some additional (huge!) benefits:
Saves time - Once this shared space has been established, the auditor can access it from anywhere, anytime, and doesn't need to be shown anything. This drastically reduces the back and forth communication and simplifies follow-ups.
Streamlines processes - Every audit consists of so many pieces of evidence—which usually means LOTS AND LOTS of screenshots and spreadsheets. But in this shared space, all evidence is mapped, connected and normalized automatically to make for simple and straightforward reporting.
Creates transparency - With a shared space, both teams and auditors can always go back and see what was done, to aid in continuity and retention. It also provides a place to communicate with the auditor, where they can comment and accept evidence. Additionally, by normalizing the data, users (both internal and auditors) can search and sort by evidence-data.
Improves security posture - Over the course of any audit, organizations share some very sensitive information with auditors. In a shared space, they have access to this information in a read-only format as well as the log of who accessed the data and when it was accessed, which enhances security posture while ensuring the auditor has the information needed.
For so many years, auditors have been leading the compliance audit conversation, with companies aligning with their will. But the time for change has come. I think what we're seeing here is the dawn of a new compliance era in which we, the people dealing with the intricacies and details of this world, get to lead the conversation, accompanied by the auditors. By giving auditors a view into our processes and methodologies—and how we work—we can effect this shift.
Will granting the auditor a view into the environment magically fix what’s ailing the full compliance ecosystem? In my opinion, this new paradigm may have the potential to transform audits from tension-filled experiences into tolerable—and perhaps even empowering—ones.