Want to Scale Compliance? Screenshots As Evidence Aren't The Way

Back when I started in InfoSec Compliance over 20 years ago, I thought taking a manual screenshot as evidence was a big pain in the neck. It was a task that took up precious time and effort and required one of us Compliance people to endlessly hound our equally-busy colleagues for data. But as inefficient as it was back then, it makes even less sense now. Using screenshots as the main method of collecting evidence is still cumbersome, time-consuming, uses up all-too-precious people-power, and today, simply put, it is a construct of the past.

Truthfully though, screenshots are just easy fodder; we all know that lots of processes in Compliance are stuck in the past; There are ISO 27001 evidence spreadsheets, manual face-to-face audits, and endless trails of emails and texts. And not only are these processes outdated; they too, use up precious resources.

This problem of wasting important resources becomes more prominent as companies grow. Mid-size and hyper growth companies have far more complex environments than startups, with endless policies, procedures, standards, and guidelines. These elements lead to the consumption of time, people-power, and money, all of which could be reduced if old manual approaches were left in the dust.

In this post, I’ll address the issues that I see as contributing towards the unnecessary consumption of resources to prove security Compliance, specifically in growing companies.

What’s Causing Hyper Growth Companies to Waste Compliance Time/Money/People-Power?

There are various reasons why growing companies squander resources when using screenshots as evidence of Compliance. Below we will explore 4 factors and detail the assets wasted.

1. Multiple Stakeholders  

In growing companies, the responsibility of Compliance is no longer held by one person as it is in smaller companies. There is the CISO and the Compliance manager, but there are also multiple stakeholders outside of InfoSec (think R&D Lead, HR manager, Marketing manager, etc), few of whom actually understand the value, importance, and time-sensitive nature of Compliance activities. Thus, Compliance teams spend a significant portion of their time chasing those people for evidence such as Compliance screenshots, which they may - or may not - deliver in a timely manner.

Wastes:

✅ Time ⏰

✅ People power🧍🏽‍♂🧍🧍🏽‍

2. Multiple Frameworks  

Many companies have more than one type of business unit that requires different Compliance frameworks. For example, consider a company that provides chips for devices; some of those chips go to Xbox consoles and some go to medical devices that hold PHI. So while this company may want to achieve SOC 2/ISO 27001 on all their solutions, they also need to meet HIPAA on some systems. Without a way to seamlessly share evidence between frameworks, they have to do double the work.

Wastes:

✅ People power 🧍🧍🏽‍🧍🏽‍♂️

✅ Money 💰

1. Lack of Transparency 

The bigger the company, the less people deeply know the details and nuances of what other teams are doing. The multiple departments, locations, regions, time zones, etc, can lead to a major lack of full transparency when being audited; imagine finding out mid-audit that what DevOps promised the Compliance team to deliver isn't there, or that at the very last moment, someone in some other department (in some other location!) changed an important configuration due to an emergency fix - but now the screenshot doesn't reflect the current configuration. Thus, the audit will drag on longer than needed and may even cause the auditor to lose faith in your processes.

Wastes:

✅ People power🧍🧍🏽‍🧍🏽‍♂️

✅ Time⏰

‍

2. Mergers and Acquisitions  

As companies merge and get acquired, Compliance teams have to account for new business units, unfamiliar policies and procedures, lots of new tools and plugins, and so much more. The potential redundancies create unnecessary work and effort, and the many unknowns can lead to unaccounted-for siloed data, which in turn, leads to incomplete evidence to prove security Compliance. Moreover, the newly merged environment leads to various types of controls and evidence as well as multiple stakeholders within the IT stack of both companies. This means that teams spend time taking double screenshots as evidence of Compliance, usually under the pressure of successfully completing the merger.

Wastes:

✅ People power🧍🧍🏽‍🧍🏽‍♂️

✅ Time⏰

✅ Money💰

The Alternative to Using Screenshots as Evidence of Compliance

All this is to say that “doing Compliance” the old way in a growing company inherently consumes lots of time, people-power, and money.

It’s time to banish the manual processes of using screenshots as evidence of Compliance, spreadsheets, face-to-face audits, and emails and texts that never seem to stop - and finally embrace innovation. With Compliance automation, teams run the solution once and get results from all sources. The automated evidence collection provides enough information to go through the review process, ensure controls are in place, and fix whatever needs to be fixed to ensure optimal performance before the audit takes place.

Using an automated evidence collection Compliance tool allows teams to stop doing unnecessary, repetitive work and ensure total transparency, enabling them to scale their Compliance and save resources as they grow. anecdotes, pioneers in Compliance automation solutions, can help you eliminate the use of manual screenshots as evidence of Compliance with its data-driven, evidence-based approach.