You Bought a Compliance Automation Tool… Now What?

[00:00:00] Kaitlin Zanoni: Tools help to automate that evidence collection aspect, but they don’t understand your organization or your business risks. Compliance as a whole needs the people and the processes and the technology working together.

[00:00:15] Jara Rowe: Gather around as we build the real Tea on Cybersecurity, minus all the confusing jargon. I’m your host, Jara Rowe, and this podcast is where we cut through the confusion and get the truth about security and compliance. This is a podcast from Trava Security, so I often come across companies that feel like they only need a compliance automation tool to get compliant. So on this episode of the Tea on Cybersecurity, we’re getting down to the real tea on compliance automation, and I actually have a first-time guest with us on this episode. Kaitlin, I’m so excited to have a new face on the podcast.

[00:00:59] Kaitlin Zanoni: Thank you. Great to be here.

[00:01:01] Jara Rowe: All right, so please introduce yourself to the listeners.

[00:01:05] Kaitlin Zanoni: So I’m Kaitlin Zanoni. I’m a Security Advisor here at Trava Security. I help clients walk through their compliance framework journey, whether it’s privacy or security, SOC 2, ISO—meeting those compliance goals and not just checking the box, but also making sure that we have the actual security set up within your systems as well.

[00:01:32] Jara Rowe: That’s all real important. I’ve learned so much about not just checking boxes, so I can’t wait to dive into this conversation with you.

[00:01:40] Kaitlin Zanoni: Great. Let’s get started.

[00:01:42] Jara Rowe: Yeah. Alright, so for those that may not know, what is compliance automation and what are those tools?

[00:01:49] Kaitlin Zanoni: Great. So I’ll start out with what is a compliance automation tool exactly. So there are so many out there right now, but really it’s just a way to provide a dashboard and a one-stop shop for all of your evidence collection, framework explanations, even your policy documents. And then it also provides a lot of automation there with evidence collection as well, and even an audit hub where an auditor can come in and examine the evidence right there and then.

[00:02:21] Jara Rowe: All right. Yeah, so I can definitely see the benefits of one of these tools, but I know a lot of people feel like buying the compliance automation tool is all they need and it potentially replaces an actual compliance expert. So is that true?

[00:02:39] Kaitlin Zanoni: I would say the short answer is no. So to go into that a little bit more: tools help to automate that evidence collection aspect, but there are some areas that they don’t cover. They’ll send out regular reminders, they will help organize tasks, but they don’t understand your organization or your business risks. And so I like to think of QuickBooks really as a good example for this. It’s a great tool, but it doesn’t replace the need for an actual financial advisor. So compliance as a whole needs the people and the processes and the technology working together.

I’ve seen some startups assume that automation and an automation tool will really just check that box for them—and especially if it’s a smaller company, they can avoid spending the extra money it might take to bring on an expert—but then six months later they realize that they have scoping questions that they didn’t get answered. They still need policies, and they need someone to help explain their evidence to the auditor as well. So best case scenario here is a tool that can help automate that workflow and accelerate the process—and then experts to make it audit-proof.

[00:04:00] Jara Rowe: Alright, so that totally makes sense. So the tool is helpful for sure, but the experts are able to dig a little more into the actual company side of things.

[00:04:12] Kaitlin Zanoni: Exactly. We want to match your business to the compliance need. So we’re checking the boxes and all the questions that the auditor might ask during an audit, but we’re also making sure that your systems are actually matching what your policies say, that we are building that security maturity so that when customers come in and have questions, you have the ability to answer those with confidence.

[00:04:38] Jara Rowe: That’s great. Okay, so what are a couple of examples that people may come across when looking for an automation tool?

[00:04:47] Kaitlin Zanoni: So there are so many. I would say that three of the biggest that I’ve seen are Drata, Vanta, and Secureframe. All of those have really great aspects to them—great automation. Some of them even provide automation with things like security questionnaires to really help take a lot of that time off your plate. Answering those hundred-or-something-question Excel spreadsheets or platform questionnaires can be really intensive, especially for small companies. And so having an automation tool—Drata or Vanta—they have an AI aspect that can actually build onto your compliance checkboxes of what you have and then help automatically answer those questionnaires for you. So that’s a really great aspect there as well.

[00:05:35] Jara Rowe: Yeah, absolutely. I’ve definitely seen or heard stories about how tedious some of those questionnaires could be. So having a tool to help with that I’m sure frees up a lot of time for some teams.

[00:05:50] Kaitlin Zanoni: Yes, it does. Very, very much.

[00:05:52] Jara Rowe: Alright. So I feel like you were diving into this a bit already, but where do these tools fall short without a human expert being in the picture?

[00:06:04] Kaitlin Zanoni: I will say that the tools will report what is configured, but not necessarily if it’s correct for your system. It doesn’t really decide scope or strategy. It doesn’t ensure that your timeline is ready for the audit. Evidence can really start piling up as you gather it, but it doesn’t necessarily mean that it’s going to answer the correct questions that the auditor has.

Even if you have a compliance tool with a dashboard that shows all green and no red, it can still be a struggle when the audit actually comes around because the auditors are asking about evidence that you might not know how to explain. Potentially, evidence has been gathered that doesn’t actually meet the compliance requirement—even though it turns that test green in the compliance tool.

So the experts can help come in and bridge that gap. We can really tailor a full strategic plan from start to finish just to show all of the different milestones that have to be met for compliance and then tailor that to your organization’s timetable, making sure that everything stays on track.

And then in actual evidence explanation areas, we come alongside you during the audit. Since we understand your systems, we can help fight for that evidence and really ensure that the auditor’s questions are all answered throughout the audit.

[00:07:32] Jara Rowe: Okay, so this definitely seems like a team effort of tools and experts. So how would Trava and an automation tool and then the auditor work together in this group or ecosystem setting?

[00:07:49] Kaitlin Zanoni: It’s really like a relay race, where the compliance advisor can come in and begin providing you that scoping information, helping you with decision-making, and provide you that strategic plan to make sure that you meet all of those milestones for your audit and that your evidence that’s being collected is actually the correct evidence.

We can also help build out that compliance tool, making sure all your applications are integrated correctly so the automated side of that tool is working properly. And then the auditor will come in when it’s their time, be able to review all that evidence in a very organized manner through that compliance tool, and the expert can walk alongside that process answering any questions they have as well.

[00:08:40] Jara Rowe: Alright, that’s fantastic. So again, definitely a group effort. So if someone were like, “I don’t need the consultant,” and they’re like, “I’m only going to get the tool,” what’s the danger of relying on automation alone?

[00:08:58] Kaitlin Zanoni: So I would say that the danger there is the risk of a false sense of security. The dashboard on the compliance tool might be green, which is really exciting. It might say you’re at 100% compliance, but it doesn’t necessarily mean that all of that evidence is going to answer the auditor’s questions or your customer’s questions.

So the tools can’t really judge the quality of access reviews or interpret policies for you or understand your security maturity level as a whole. And that’s where the experts come in. The danger you want to avoid is walking into audits with months of evidence that you’ve spent time and effort collecting that doesn’t actually answer the auditor’s questions. That can create just really huge delays in time and extra cost and sometimes even failed audits.

So the automation tool plus the expert advisor will help build that trust and a very real solid compliance foundation as well that will get you through that audit.

[00:10:06] Jara Rowe: That’s awesome. I’m glad that you broke that down for everyone. But in case there’s still a listener and it’s like, “I don’t need all this other stuff. I’m only going to get this automation tool,” what should a startup look for when choosing their GRC tool?

[00:10:23] Kaitlin Zanoni: I would say part of that is going to really be the design of the tool. Does it fit your needs? Are the frameworks that it provides the frameworks that you are wanting to test for compliance? Does it really scope out your systems well enough?

You want to make sure at the very start of using a GRC tool that it can actually integrate with your systems and your applications. So if you’re using AWS or Google Cloud or GitHub, you want to make sure that the tool can actually integrate and properly collect evidence from all of those applications as well to make your life easier.

And then I will also say the cost-benefit analysis as well is something to think about. Different tools are more expensive than others, but a cheaper tool is not necessarily going to make your life better. So that’s also something to consider, especially if it’s a smaller SaaS company.

And then I will also say the compliance tool, again, is not going to by itself get you to that finish line. So just understanding how the vendor behind that compliance tool works and just asking questions and how that is communicated is also going to be very, very helpful for your team.

[00:11:46] Jara Rowe: Yeah, for sure. And I can only imagine from someone that has to learn new tools that there’s a bit of a learning curve as well. So probably picking one that makes it easier or a faster ramp-up would be helpful too.

[00:12:01] Kaitlin Zanoni: Definitely. Yeah, seeing what their onboarding process is like and how quickly and how easily you’re able to get personnel implemented into the tool and onboard for that and what kind of trainings they have.

[00:12:15] Jara Rowe: Absolutely. Alright Kaitlin, we covered a lot of information here about compliance automation and then the overall compliance ecosystem. So I’m going to do a quick recap to make sure I got it.

So compliance automation tools are absolutely a necessary step in becoming certified, but there are a bit of limitations, as the tool may not fully understand some of the nuances of a business, or the evidence may need to be explained a little more to an auditor—which is why a compliance expert makes sense to be included in this process. Is that right?

[00:12:59] Kaitlin Zanoni: Yes.

[00:12:59] Jara Rowe: Alright. Well listeners, I hope you got a lot out of that and we will see you soon on the next episode of the Tea on Cybersecurity. And that’s the Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.