Back when I started in InfoSec Compliance over 20 years ago, I thought taking manual screenshots was a big pain in the neck. It was a task that took up precious time and effort and required one of us Compliance people to endlessly hound our equally-busy colleagues for data. But as inefficient as it was back then, it makes even less sense now. Using screenshots as the main method of collecting evidence is still cumbersome, time-consuming, uses up all-too-precious people-power, and today, simply put, it is a construct of the past.
Truthfully though, screenshots are just easy fodder; we all know that lots of processes in Compliance are stuck in the past; There are Excel spreadsheets, manual face-to-face audits, and endless trails of emails and texts. And not only are these processes outdated; they too, use up precious resources.
This problem of wasting important resources becomes more prominent as companies grow. Mid-size and hyper growth companies have far more complex environments than startups, with endless policies, procedures, standards, and guidelines. These elements lead to the consumption of time, people-power, and money, all of which could be reduced if old manual approaches were left in the dust.
In this post, I’ll address the issues that I see as contributing towards the unnecessary consumption of resources in Compliance, specifically in growing companies.
Multiple stakeholders - In growing companies, the responsibility of Compliance is no longer held by one person as it is in smaller companies. There is the CISO and the Compliance manager, but there are also multiple stakeholders outside of InfoSec (think R&D Lead, HR manager, Marketing manager, etc), few of whom actually understand the value, importance, and time-sensitive nature of Compliance activities. Thus, Compliance teams spend a significant portion of their time chasing those people for evidence, which they may—or may not—deliver in a timely manner.
Wastes:
✅ Time ⏰
✅ People power🧍🏽♂🧍🧍🏽
Multiple frameworks - Many companies have more than one type of business unit that requires different frameworks; For example, consider a company that provides chips for devices; some of those chips go to Xbox consoles and some go to medical devices that hold PHI. So while this company may want to do SOC 2/ISO 27001 on all their systems, they also need to meet HIPAA on some systems. Without a way to seamlessly share evidence between frameworks, they have to do double the work.
Wastes:
✅ People power 🧍🧍🏽🧍🏽♂️
✅ Money 💰
Lack of transparency - The bigger the company, the less people deeply know the details and nuances of what other teams are doing. The multiple departments, locations, regions, time zones, etc, can lead to a major lack of full transparency when being audited; imagine finding out mid-audit that what DevOps promised to deliver isn't there, or that at the very last moment, someone in some other department (in some other location!) changed an important configuration due to an emergency fix—but now the screenshot doesn't reflect the current configuration. Thus, the audit will drag on longer than needed and may even cause the auditor to lose faith in your processes.
Wastes:
✅ People power🧍🧍🏽🧍🏽♂️
✅ Time⏰
Mergers and acquisitions - As companies merge and get acquired, Compliance teams have to account for new business units, unfamiliar policies and procedures, lots of new tools and plugins, and so much more. The potential redundancies create unnecessary work and effort, and the many unknowns can lead to unaccounted for siloed data, which in turn, leads to incomplete evidence. Moreover, the newly merged environment leads to various types of controls and evidence as well as multiple stakeholders within the IT stack of both companies. This means that teams spend time on taking double screenshots, usually under the pressure of successfully completing the merger.
Wastes:
✅ People power🧍🧍🏽🧍🏽♂️
✅ Time⏰
✅ Money💰
All this is to say that “doing Compliance” the old way in a growing company inherently consumes lots of time, people-power, and money.
It’s time to banish the manual processes of screenshots, spreadsheets, face-to-face audits, and emails and texts that never seem to stop—and finally embrace innovation. With Compliance automation, teams run the solution once and get results from all sources, providing enough information to go through the review process, ensure controls are in place, and fix whatever needs to be fixed to ensure optimal performance before the audit takes place.