S2 E28: The Value of Compliance Orchestration

The Value of Compliance Orchestration

Transcript

Jordan Eisner: Alright, well, welcome to Compliance Pointers. I’m your host, Jordan Eisner, and I appreciate all of you for listening.

I’ve got Brandon Breslin on today. Brandon, you’re jumping all around. You’ve got a new hire just started here. So thank you for making the time to jump on this podcast with us.

Brandon Breslin: Absolutely. Thank you, Jordan, for having me as well.

Jordan Eisner: Today, we’re going to be talking about compliance orchestration and compliance as a service, right? Program management. And Brandon is a good person to speak to about this. Brandon has been at QSA and been working in PCI, I think, for more than 10 years.

He leads it for Compliance Point as the director of our assurance practice, which not only includes PCI, but also SOC 2 and ISO 27000 services as well. And before that, he worked at a very large firm for many, many years, mainly on the PCI side, right?

Brandon Breslin: Exactly. Yep.

Jordan Eisner: Good deal. Well, we’ll jump right in. I mean, the first question is really in the title, right? What is compliance orchestration and compliance as a service?

Brandon Breslin: Yeah. And I think these terms are buzzwords right out there right now. It’s a shift in the industry. If you think of these security assessments that are out there, you mentioned PCI, SOC, ISO, each of these frameworks, right? They’ve they may have had defined audit periods. They may have had point-in-time assessments done. But the shift is away from that traditional audit cycle to more of the year-round program management, compliance orchestration, compliance as a service, more of the subscription model, if you will, if you want to kind of put it in those informal terms of you’re always working towards the compliance.

It’s not a one time. It’s a journey. It’s always needing to be done. I mean, you see data breaches out there all the time, right? It needs to be continuous. You have to have people dedicated to this. It’s not something that’s just a one-time check the box and you’re done. That’s not that used to be the case. And that is not the case anymore.

So compliance, you know, I’ll start with compliance as a service, right? That’s more of the subscription model, if you will. It’s a managed service option, right? It’s changing from the one time compliance assessments to now the ongoing maintenance, the ongoing process, the ensuring everything’s up to date on a more frequent basis, evaluating your controls, your operational controls, your technical controls, even down to the level of your policies and procedures way more often than that traditional one-time audit cycle.

The compliance orchestration side of it is more of the tactical piece, right? Like really finding opportunities to automate your compliance activities, streamlining those workflows that you may have, having it again more often than one time.

Jordan Eisner: So you mentioned something you said. It used to be one time was OK. That’s not the case anymore. What changed?

Brandon Breslin: Yeah, I would say the security landscape has just changed, right? Things have become more complex. Data security, data privacy, protecting data has become such a large endeavor for many organizations that they’ve come to terms to realize we cannot do this one time a year, right? We cannot do this one time a quarter. We have to do this more often.

Even if they’re doing an assessment once a year, they still have to change their processes internally to have it be a priority for the organization more often, right? Having dedicated personnel.  

So I would say what changed is just the security landscape. I mean, there have been more if you look at, you know, history, right? There’s there are more data breaches out there now than ever before. That is to say, there is still a higher level of data content that’s out there, right? So there’s more opportunities for data breaches. But from a protection and security of, you know, your organization, right? It’s becoming more of a priority for most that that maybe weren’t having it as a top priority before.

Jordan Eisner: So how does an organization know if they need compliance orchestration or compliance as a service? Or does every organization need it?

Brandon Breslin: Maybe not every organization is going to need it. I think every organization is going to be unique. I would say some may benefit others. Right. And there are some, especially customers that we work with that already have a very mature and robust security posture. Where they are working towards that on a continuous basis.

But I think where it benefits most organizations is if you’re doing manual processes, right? If you are coming time to the audit cycle, right. And it’s a struggle for you.  Oh, we need to get everything in order. You know, get with these five different departments. Like it’s a scramble to try to find documentation, try to find evidence. You’re doing manual processes. You’re updating all of your policies and procedures right before the assessment starts. Like that that is a sign that your organization is not truly working towards being compliant on a regular basis.

You’re really only looking at security and compliance because the audit is happening. That’s that is checking the box.

Jordan Eisner: You’re checking a box as opposed to getting better incrementally and improving, which used to be the point of an assessment. Where are we today? How do we improve? And then assess it next year. Did we improve? How can we improve more?

Brandon Breslin: Absolutely. And, you know, I think it all comes back to what is the priority for the organization? If they are not putting security and compliance, it used to be security or compliance. Right. It’s security and compliance. If the organization is not making that a top priority, none of these things are ever going to be achieved, quite frankly, because if you don’t get senior level, executive level management buy in from the top and make it a priority for the organization, it’s never going to move forward.

Jordany Eisner: So I’ve heard the same. Secure isn’t compliant and compliant isn’t necessarily secure, but I’ve also heard compliance should be an output of a security program. So maybe that’s what you are meaning or talking about when you talk about compliance orchestration, compliance as a service. It’s focused on security and a good secure program. And if you do that day in and day out, the compliance exercise, the assessment becomes more of an output of a robust security program.

Brandon Breslin: Right. Absolutely. The good inputs you put in will result in good outputs. Right. And as it relates to security and compliance, I love your illustration of that. If you make security the focus, each of those requirements or controls that have to be done from a compliance perspective will just naturally fall in line.

That’s to say, if you put compliance first, if you just look at the requirements, say, oh, are we hitting the minimum baseline? Are we hitting the standard? Are we hitting the requirement that we have to do? You’re never going to get better. You’re never going to improve your security posture of your organization. And you’re never going to or you may miss areas that need to be evaluated that may be outside the purview of those requirements.

There’s the requirements for most security frameworks that are out there are usually a minimum baseline. If you are barely hitting those, then that probably means you need to look internally to determine what do we need to do to get better.

Like there are plenty of companies that have data breaches, data leakages that were compliant with each of the standards that are common out there. So it’s not just hitting the standards, really, where can you go above and beyond?

And that’s where the compliance as a service model, the managed service option, as well as compliance orchestration really comes into play because it alleviates the audit crunch. It alleviates that one-time process. It helps keep this as a priority for the organization because it’s always the top of mind. If you’re working with a consulting company, for example, like CompliancePoint, if we’re working with you on a monthly basis, it’s always going to be top of mind. You’re always going to be knowing what’s the latest guidance out there, what are the latest controls out there, as well as what are the latest trends in the industry that are outside the purview of those requirements that we, the organization, should be thinking about.

Jordan Eisner: Some interesting points there.

As opposed, not opposed, but in addition to compliance becoming an easier output of a security or compliance orchestration program, what are some other key benefits for our listeners that you can identify?

Brandon Breslin: Yeah, I would say enhanced visibility is number one, right, to kind of go hand in hand with establishing it as a priority for the organization. If the entire organization is seeing the benefit of an easy, I use the term easier loosely, a more streamlined process to being secure or improving your security posture, getting to a compliant state for your environment that enhances visibility across the organization, that shows that it’s a priority.

Improving stakeholder confidence. If you have customers that you’re reporting to or other third parties like an acquirer or somebody like that, if you’re showing them more often that you’re in a compliant state, that improves their confidence. It even improves efficiency and results in some cost savings internally for the organization, because, for example, if you’re in a stronger security posture and you prevent a data breach, right, or significantly reduce the risk of a data breach, that’s cost savings as well as it saves time for resources internally on the organization so that you don’t have to dedicate everybody to be available at one time for that assessment, right?

Even if it’s, let’s say it’s a 90-day assessment, if it’s broken out over a longer period of time, there’s less of an audit crunch, and there’s less resource intensive activities that need to be done in that 90-day window.

Jordan Eisner: And that, you bring up a good point on the personnel and their time spent, and I don’t think it’s an unknown fact that CISOs, security resources, the tenure is not very long. And you’re probably going to have some moving pieces from a personnel standpoint in your security program, so more regular ongoing compliance orchestration maybe makes it more top of mind, more consistent, less of a fire drill. If you’re waiting until the last moment for the assessment, like we talked about, and you’ve got a bunch of new players involved as well.

Brandon Breslin: Yeah, it’s a great point. And as it relates to the resource constraint and the potential turnover resource sharing, right, knowledge sharing.

Jordan Eisner: Yeah, that’s a good point. Not even just the turnover, but also just the shortage.

Brandon Breslin: If you’re doing this on an ongoing basis, there’s a huge opportunity to leverage crossover, right, of other personnel in the organization. It’s less of a constraint there. Even if there is turnover, you know, that’s easily shiftable or can be shifted easily. So there are so many indirect benefits of this.

But I go back to the having this be a priority for the organization. If you are constantly having this as a top of mind item, then it makes it easier, right, because you’re not waiting until the end of the year or middle of the year to do the assessment. And then you have to scramble finding all of your evidence and gathering everybody across different departments. If you’re already engaged throughout the year, it’s just like another month of the year.

Jordan Eisner: So I want to ask how organizations can get started. But before that, why do you think more organizations aren’t doing orchestration or compliance as a service? Is it just because this is how they’ve always done it with the fire drill type assessment or reasons would you give?

Brandon Breslin: I think it’s a combination of, you know, that we’ve already done it. We did it last year and we ended up with a compliant report or we ended up getting over the finish line. So let’s just do it again. No reason to change, right. If it ain’t broke, don’t fix it type of mentality.

Or they quite frankly get overwhelmed at the idea or they are apprehensive, right, maybe from a not only change perspective, but kind of future looking, right. Like, what is the benefit if we’re already doing this as a one-time audit? What’s the point of changing methodologies if it’s working? Right.

And, you know, I think also there’s a misnomer that it costs more to do it more often, but that’s not necessarily the case, because that cost can be broken out over the year. It’s actually easier to budget from a financial perspective for the organization. So there is another benefit there. It can be spread out cost-wise.

But I think the biggest thing is, you know, risk appetite apprehension for change. They sometimes don’t see the benefit if they already got an assessment done earlier in the year, the prior year. Like, what’s the point of changing?

I will say no organization ever intends to have a fire drill, right? Like that just naturally happens a lot of the time when they start going internally and looking for evidence, looking for personnel that they need to speak with, gathering data, right, that they need to. Every time or most of the time they go into it expecting it to go smoothly, but it does not always go smoothly. That’s just the reality of the audit crunch, right? And things happen. Things can come up. Other priorities in the organization can come up. And if you have it spread out across the year or on more of a regular cadence, that allows for that flexibility if priorities in the organization change.

Jordan Eisner: So back to the question then, how can organizations get started with the compliance orchestration, compliance as a service type program?

Brandon Breslin: Yeah, I think first and foremost, look internally. What are the priorities for the organization, right? Is security and compliance a focus? Number one, if it’s not a focus, then what needs to be changed to have it be a focus? Is it something out there that’s, you know, maybe you’re not getting pressure from outside parties, right?

And if not, what is the type of data that you’re trying to protect or what are the security frameworks maybe that you’d like to undergo an assessment for? And when you look at the plan for the year overall, especially for larger organizations where you may have different frameworks, what makes sense, right?

To do to be doing different audits at different times? No, that doesn’t make sense. That’s not efficient, right? It makes sense to, you know, to look at it over the year. How can we make this on a regular cadence? It’s not it’s not going to be a huge burden for us later in the year.

So really, number one is assessing your internal processes, establishing your priorities for the organization.

And then I would say next is, you know, kind of establish take those priorities and then establish a culture within the organization, right? Of, hey, we are going to shift away from the traditional audit cycle and we’re going to move towards a year-round compliance model. It’s better from a security posture. It usually results in cost savings and it’s an easier burden on resources on the team internally, especially for, you know, if there’s a dedicated compliance team or if there or even if there’s people that hop around between different departments to try to gather the compliance and, you know, and security evidence for the assessments and things like that, that is a huge lift off of them. Or a huge burden lifted, I should say, off of them.

And so and then I’d say the last part is working with a third party, right? You know, consulting company CompliancePoint is one of them. There’s plenty out there that do this type of model that allows for flexibility to work to get to that compliance, say, for each of these frameworks.

Jordan Eisner: And so should a company decide to take the plunge, dive in orchestration, compliance as a service so they’re prepared? What are some common challenges you see organizations face with implementing a program like this and how can they overcome them?

Brandon Breslin: Yeah, I think it goes back to again to priorities, right? If the organization, I see this happen time and time again of, you know, executive leadership may make a decision, but it doesn’t get passed down to those that are more boots on the ground and implementing some of those. And that’s where apprehension and even tension can come into play. So I think first having synergy or communication between executive management and those that are going to be executing or working with compliance teams, working with different departments, working with data owners, right? Application owners, making sure that there’s alignment there. That’s first and foremost the priority. So I would say, yeah, the fragmentation or, you know, siloed execution is probably a number one cause there for challenge.

And then also just, you know, resistant to change, right? I think there’s there’s still that apprehensive out there that we see of, hey, if it ain’t broke, don’t fix it. We did an assessment last year. Sure, we had some hurdles. Yeah, we were delayed on evidence, right? We couldn’t get the we couldn’t get the consulting company the evidence in time. So it took them a little bit longer to get the report. However, we got it done, right? Like that that sometimes that mentality will prevent that change. And that’s not to say that anything’s wrong with the current audit process. This is just if you want to ratchet it up and take it to the next level, build efficiencies, save your team time, you know, free them up so that they can actually do the work that they are tasked to do right in the organization. There are other priorities, right? That’s really the way to take it to the next level.

Jordan Eisner: And reduce surprises.

Brandon Breslin: Yeah, exactly. And I think for overcoming some of those challenges, right? Like leverage technology, leverage GRC platforms, right? Have crosswalk over or overlap between other frameworks, right? There’s most organizations are not just doing one or two security frameworks.

They are needing to be compliant or needing to be evaluated against at least three, four, five, sometimes 10, 12 frameworks out there. So leveraging technology works smarter, not harder. Right.

Ensure you have executive buy in, have that communication between those that are executing or boots on the ground as well as with executive management. That’s such a critical component.

And also figure out what makes sense for the organization from a, you know, from a risk posture standpoint. Right. How much risk is the organization willing to undergo if you’re working with multiple companies? Does it make sense to align that?

For us at CompliancePoint we have multiple departments where we’re doing multiple frameworks at one time and we use a tool that allows us to have that crosswalk and overlap to make these types of, you know, continuous compliance orchestration type assessments run very smoothly.

If you’re working with different assessors, that could be a fragmented result there, too. So that’s another factor to think about.

Jordan Eisner: All good points. Brandon, thanks for your time. Always good to have you on this podcast. A lot of good, I think, insightful information you provided.

And for our listeners, if you have any questions on compliance orchestration, compliance as a service, or any other name really applied to this model or label, please feel free.

Reach out to Brandon, myself, we’re both on LinkedIn. You can come to CompliancePoint via our website. You can email us at connect@compliancepoint.com, but we’d love to feel your questions, concerns, interest in such a program.

And thank you for listening. We produce content like this on a regular basis. Make sure you don’t miss an episode. Subscribe to whatever platform you’re using. And if you’re enjoying this content, leave us a review. Until then, continue to subscribe and you’ll hear from us soon.