Third Party Reporting
Avoiding the pitfalls of turnkey compliance solutions
November 17, 2020 • Jacob Nix
Artificial intelligence, data analytics, and machine learning have advanced the security and compliance space. These technologies have enabled businesses better protect information and systems and have helped auditors better understand environments and perform audits more efficiently but they bring their own challenges.
While these powerful tools have led to tangible improvements both internally for service organizations and externally for audit firms, they have not replaced the need for thoughtful planning, architecting, implementation, and execution of cybersecurity and compliance programs.
There has been a rise in popularity of turnkey, subscription-based solutions that promise a SOC 2 ready environment in a fraction of the time. While this sounds appealing, the process may not be as easy or as effective for your organization as some case studies show. There are 6 fundamental areas to consider before engaging with a platform provider for your compliance program needs.
The platform’s reporting limitations, generic controls, and templates The processes and environment that you have built are unique to your organization. In fact, they are a part of the competitive advantage you have built by doing things differently.
Compared to a partner firm helping you improve your processes, while achieving a compliant environment and maintaining your culture, the automated and accelerated platforms provide you with canned templates that often require significant changes to your process or a deep enough understanding of the standard to be able to modify the templates to fit your process.
Further, the dashboards and reporting capabilities may tell you that you’re out of compliance, but they don’t always help guide you through the right solutions for your environment. Similar to the policies, the solution recommends actions that may not make sense in your environment, or worse, may only help you check the compliance box, when a better alternative solution could have added value, or at least been more cost effective.
Cybersecurity and compliance should be incorporated into the processes and culture of the organization. Creating policies and procedures for the sole purpose of meeting a compliance regulation may help achieve a passing audit, but will decay quickly, and the organization will not recognize any value added outside of the certification or report as part of the process.
Continuous reporting requires governance
The programs that provide continuous reporting on your controls and compliance posture, often create either additional governance needs or add new risks to the organization. If a dashboard is reporting that controls are out of compliance, and the organization suffers a security incident, downtime, or worse, a data breach, it may lead to claims of negligence.
The avoid this, organizations would need to develop governance over the tool and dashboard itself, which would need to include monitoring and remediation requirements. Even then, this poses a greater risk to the organization without any major added benefit, because if a control fails within an audit period, an exception and management response will be required whether it has been remediated within days, or months.
The platforms are often built to service Small and Medium Businesses. Most organizations tend to grow faster than what some of those solutions can accommodate, so you will need to ensure you’re not investing in a solution that will not be able to scale with you. Most platforms run a single dashboard that will become a greater challenge once your organization grows beyond a certain range of FTEs or business unit complexity.
These applications can also include assumptions that the platform developers have baked into their software. Because of these assumptions, at times, the platforms start to deteriorate due to added complexity that was not accounted for, including applications that span multiple accounts, different development teams, different compliance requirements for different sets of applications. Ultimately the standardized approach becomes unable to support the complexities that mid-size and enterprise-level organizations face.
Proprietary approach creates a lack of portability
The platforms are meant to stay with you throughout the life of your compliance program. This means that all your work, policies, processes, services are tied to an on-going subscription. If the company goes out of business, raises their rates, gets acquired (then raises their rates), your compliance program could be in jeopardy, or you may be faced with having to start all over again.
Timelines quoted are best case scenario
These are not plug and play solutions. The marketing materials exhibit best case scenarios, and we have observed that the implementation can be as fast as three months, but it typically is closer to, or in excess of a year for the platform to be properly configured and begin compiling data properly. Additionally, the platforms lacks the relationships and understanding to help you accelerate your compliance journey and are unable to work with all audit firms to find the right choice to ensure you achieve the client requirements, or market need you are looking to accomplish.
We recommend Organizations take a strategic approach to cybersecurity and compliance. This begins with determining short, and long-term market goals and translating those into compliance and certification requirements (i.e. SOC 2, HITRUST, FedRAMP). Once the short and long-term compliance goals have been determined, the organization can evaluate the right technical security, compliance enablement, and audit partners to help achieve their goals.
If you’re evaluating your compliance needs, we would love the opportunity to help you develop your strategic roadmap. Contact us today for a free consultation.