We all know how Compliance works. It’s one of those processes no one dares to disrupt. As InfoSec leaders, after having our morning coffee, we quickly move to our emails, going through those routinely generated reports, which leads us to believe that the procedures and controls are still in place and are in good shape.
Later in the day, we sit with the network administrator or SOC team member and ask them to present us with some screens of their configurations and dashboards. In order to document the current status, we take a few screenshots, export some reports, and shift those right to our mailbox.
Back from those meetings—after lunch with a colleague—we close the office door, sit in front of the computer, and start summarizing everything; the meetings, our conclusions, the findings versus the organization policy and procedures, and perhaps add one or two of those screenshots or reports we have.
The last mile involves our recommendations which we share via email with our good old "relevant stakeholders" and ask them to acknowledge and provide feedback. The best part of every email is the check-in due date for that gap we just discovered.
Long story short, just another day in the life of a typical Compliance manager.
Guidance, methodology, and structure are great. They help us achieve a higher level of accuracy and predictable results. Consequently, we have been trained to think of InfoSec Compliance as a bunch of framework-specific controls and pieces of evidence to be collected and analyzed towards its audit.
Back in the old days, this was the best way to enforce organizational policies and ensure the company mitigated its risks.
But the world is changing and technology empowers us in every aspect. Well, almost every aspect... InfoSec Compliance hasn’t changed much, yet.
Consequently, the immediate drawbacks we face on a day-to-day basis are:
I consulted with my professional network and found out how Compliance managers in different companies currently overcome some of these challenges:
It turned out that companies with mature Compliance functions usually build and maintain their internal “evidence repository”, aka, a shared folder on Dropbox with the “latest” evidence of each type.
And the others? They simply surrender and try to survive the chaos on a daily basis. Working in a checklists-based flow can sometimes make our lives easier—but for modern enterprises in the cloud era, InfoSec Compliance checklists are actually a huge burden, impeding the way to a scalable Compliance program.
Based on checklists and single point-in-time snapshots, InfoSec Compliance audits have led us to a dark corner.
Your work is stressful, largely because you know that compliance is spotter from the management; they want us to be able to satisfy any potential customer, but don’t understand how bad every audit is to the organization. Audits are every company’s nightmare since audit preparation requires every stakeholder in the organization to “donate” their time and produce some vague evidence, yet again.
The tragedy in this story is that these same stakeholders find those “send me a screenshot of X” tasks to be a huge burden. They don’t have KPIs for satisfying those queries, nor do they believe they can be trusted or actually help anything (besides for satisfying the auditor).
With zero ROI, InfoSec certification is yet another “traditional” requirement of B2B sales that the company struggles with.
Oh, and the “highlight” of every audit is the endless ping-pong between you and the auditor, where you have to once again describe the structure of the company and its architecture so they’ll understand why this piece of evidence is the relevant one.
“What’s the intuitive way you’d expect InfoSec Compliance to work? Please describe the end-to-end flow you wish you had.” This is what we say to customers on our first call. You’d be surprised, but as tech-savvy SaaS and cloud-oriented people, we all share the same vision of Compliance-utopia.
We broke down the properties of this “utopia” into tiny building blocks and realized that it could actually be achieved in a straightforward way.
Truth be told, the “a-ha” moment is consistent; it happens whenever we show potential customers how those building blocks complement each other to create a simple and intuitive model.