Compliance hinges on continuity
Digital-first companies understand the importance of compliance, especially when it comes to cybersecurity. There is even proactive interest and curiosity in exploring compliance programs. However, installing compliance programs, managing them, and undergoing audits are often heavily reactive processes. Marked by scrappy measures, last-minute rush, hurried pieces of evidence, audit frenzy, and disrupted activities across the org
Bill Confer, Audit Manager at Sensiba notes that ‘for individuals undergoing an audit for the first time, it can be overwhelming and stressful’ and that ‘it’s unfortunate that audits have such a negative connotation.’ According to him, the problem lies not so much in the notion of audits themselves but in the notions and nature of compliance. He emphasizes that audit success is a direct outcome of a strong security posture and calls for a fundamental shift in the way compliance is perceived and practiced. “Organizations should work on implementing cyber security practices and compliance will follow,” he says.
Sustaining this fencing is critical to audit success. Bill says, “Auditors look at the controls and measures you have in place and sample evidence that proves controls operate or do as they are intended by management.” In essence and effect, then, to embrace this fact is to invest in having continuous visibility into control measures, their application, testing, and functioning.
Often compliance drives security programs. It needs to be the other way
Audit one, meet many
All compliance programs are conceived with a unique end in mind. Yet they all start out the same way. “Customers drive compliance activities in any company – they will let you know what’s needed from a business perspective,” notes Bill.
To serve many different kinds of customers – from different segments, geographies, and industries – the compliance breadth must stretch and expand. Evaluating a framework and determining if – and how – it fits with the overall organization requires reflecting on what is driving the business and infosec enforcements. As Bill asserts, “Because customers will let you know what they want to see, this will always be the biggest driving force behind any framework implementation.”
Frameworks like SOC, ISO, NIST, and others are nothing but security best practices. And by and large, they achieve the same things – control-wise, policy-wise – just in different degrees of the strictness.
As an auditor, Bill has seen the benefits of this mindset firsthand. “We believe in ‘audit one, meet many’. By continuously monitoring controls against one framework, you will be able to meet multiple frameworks and their associated requirements,” he says. “This way, you do not repeat the effort of collecting and sharing evidence that maps to other frameworks and standards”
This is where a compliance automation platform adds the most value, notes Bill.
Continuous readiness through compliance automation
From central control mapping to API-based monitoring and automated checks, centrality is the highest value and the object of compliance automation. “Managing compliance in one place makes visibility easy to achieve and helps everyone keep track of what’s happening,” notes Bill.
When compliance automation platforms can draw a straight line that cuts through all security frameworks, it is then that their utility stands exponentially more. By ensuring common referenceable artifacts, compliance automation platforms make it exceptionally easy for businesses to pursue and implement new frameworks and complete audits with greater efficiency.
“In addition to being a centralized place of truth, compliance automation platforms promote collaboration between audit firms and clients – everyone understands everything,” notes Bill. “Because these platforms also do continuous monitoring throughout the period, testing evidence is less daunting. We can see that these controls have been in place, passed from x date to y date, and reliably verify the client was in compliance for that entire period. It helps the overall process turnaround – we can pull out evidence and complete test requirements, and deliver a report much quicker,” he adds.
Bill speaks on how a big part of successful coordination is the client’s readiness. “Before you go through an audit – any audit – you have to go through a ‘readiness’, which itself can take 2-4 months to complete,” he notes. “At the audit stage and fieldwork phase for SOC 2, you hop on calls, kickoff, review control lists, make sure there are no changes that impact the system, share the evidence request list to satisfy the standard, and more. Because the team who receives the evidence would need another 2-4 months to complete the testing, it helps when the clients come in ready and prepared for the reviews.”
By virtue of being a central place of truth, compliance automation ensures audit readiness most favorably. “With a platform like Sprinto, an auditor only has to log in and get the evidence in one place, including compliance checks for the whole period. This reduces evidence requests greatly. And we, as auditors, can help move the client to the finish line.”
Compliance automation platform speeds up the overall audit process by 3 times.
Audits with Sprinto
Sprinto does a great job of getting its clients to audit readiness and making sure they are passing all appropriate compliance checks.
“After we are engaged, Sprinto works with clients to get them through readiness. After the kickoff, once we get access to Sprinto, we go in and immediately start testing. We can get through testing and turn around a final report in 3-5 weeks if all of the audit teams’ follow-ups have been addressed,” notes Bill.
Exclaiming the role of Sprinto’s in-house experts, Bill remarks how the entire telemetry happens seamlessly through their intervention. “As auditors we always have questions. That’s a big part of the process. Sprinto CSMs support their clients by responding to questions we ask of them, helping them log additional evidence and perform the due diligence,” he remarks.
Additional support from Sprinto’s side to guide and direct the clients – that’s very customer service driven!
Helping businesses move away from performative compliance to lasting compliance, SSF finds compliance automation platforms like Sprinto to be most beneficial, especially in driving compliance maturity and a consistent state of readiness.