Panel Insights: Finding the Right Cybersecurity Compliance Partner

Dan Katt: Good morning everyone. Dan Katt here. I lead the sales and marketing organization over here at Trava. We're a compliance advisory organization working with partners like SecureFrame and Insight Assurance that are joining us on the panel this morning. I'm going to turn it over to the individuals on the panel for quick introductions before we get started with the broader session today, and we'll just go in order that I see them on my screen. Marc, I see you on my screen first followed by Jim and then Jesus. Marc, if you wouldn't mind kicking us off with a quick intro as to who you are and you're on mute just as a heads up.

Marc Rubbinaccio: Good thing. Thanks Dan. Hi everyone. My name is Marc Rubbinaccio based in New York City. Work for a company called SecureFrame. We are a software platform that helps you organize all of your compliance efforts, doesn't matter what frameworks, SOC 2, ISO, PCI DSS. What I do for SecureFrame is help with building those compliance frameworks and then helping our customers understand what they need to do in order to become compliant. Previously, I used to be a QSA or a PCI DSS auditor and also a penetration tester, so I have a few years of security background myself. Jim, I'll pass it on to you.

Jim Goldman: Thank you Marc. Jim Goldman, CEO, and co- founder of Trava Security located in Indianapolis, Indiana. 30 plus years in cybersecurity and compliance SaaS companies. I'm also a certified ISO 27001 lead auditor. Of course it was to the 2005 standard, but even so spent five years in the FBI as a task force officer in the FBI cyber crime task force and then ended up at Salesforce as their vice president of security governance, risk management and compliance. And I was responsible all their GRC globally across all their clouds and products and have been with Trava since May of 2020.

Jesus Jimenez: Excellent. I can go next. My name is Jesus Jimenez. I'm one of the co- founders at Insight Assurance. Been in the industry about 15 years, former Ernst& Young. So Insight Assurance is an audit firm. We focus on SOC attestation, ISO certifications, PCID assessment among other frameworks. So just looking forward to collaborating with Jim and Marc today.

Dan Katt: Awesome guys, I appreciate the intros there. It sounds like we've got a well- informed and experienced panel for the conversation today. I think this is going to be a really interesting topic with a lot of different perspectives based off of the backgrounds and this topic is one that we hear fairly often at Trava. What's an auditor do? What's an advisor do? Where does technology fit into the mix and how do I know how best to engage with all these different participants in pursuing a compliance certification? And with that in mind, maybe the first question to our panelists, I'd love to hear perspectives from all three. When you think about a cybersecurity partner, a compliance partner, what exactly does that entail and why is it important for businesses, whether you're an early stage SaaS organization as an example or a more mature organization, what does a partner, a compliance partner really entail? And Jesus, if you want to kick us off with that, that'd be great.

Jesus Jimenez: Yeah, absolutely. So a compliance partner is going to be those organizations that are going to help you get your journey from not being compliant within a specific framework or regulation all the way to being able to show that certification, whether it's ISO or that SOC 2 report, right? So it is very key in order to differentiate the type of partners that you have. You have your compliance partner or your consultant such as Trava, that is going to help you implement that security program and maintain it afterwards, and then you're going to have SecureFrame that is going to help you with the technology side just to make sure that you connect your key systems and make sure that you're maintaining those controls.

Dan Katt: Perfect. Jim, anything to add to Jesus' explanation there?

Jim Goldman: Yeah, actually, I mean I had a strange thought, but those of you that know me may not think it's all that strange. Early in my career, I actually taught math and I had a sudden flash of an equilateral triangle. The three points, and I think I forget, but I think that's the strongest geometric shape in the world or something, is the equilateral triangle, and that's really what is required in order to successfully navigate this compliance journey. You need those three points. You need the compliance advisory, you definitely need a compliance platform of some type in order to automate this whole thing so you don't lose your ever loving mind and then you absolutely need an external auditor. Those are the three points.

Dan Katt: Yeah, I appreciate that and I think everyone in the audience, you just got your math lesson for the day, so I'm sure there'll be more of those sprinkled throughout the session.

Jim Goldman: Well, I'm planning to bring in physics later.

Dan Katt: Oh, great, great. So compliance and physics. Perfect. Great way for a Tuesday morning. And then, hey, Marc, your perspective. Obviously we're all technologists, but sure you work at a technology first company. I'd love to hear your perspective on where compliance partnerships fit into the mix there.

Marc Rubbinaccio: Yeah, totally. I think of compliance partners third party that can help with a specific aspect of your information security program that you don't have enough resources or you don't have the resources to actually do. So imagine trying to build software without engineers. You need partners that have that expertise in the domain that you're looking to achieve these specific tasks, right? Things like risk assessments, penetration testing, vulnerability assessments. And then when we're talking about compliance, there's a lot of expertise that's needed to make sure that you're scoping right, doing readiness properly, and then organizing all of those controls in a specific way, something like a tool can do.

Dan Katt: Yeah, it makes a ton of sense there. I appreciate you adding some additional color. In fact, you threw out a couple other terms that I think segue really nicely into the next general concept of determining the need. I think we've all heard horror stories in the past of bootstrapping a compliance program via Excel spreadsheets, PDFs, email, very old school way of doing it, and obviously GRC platforms are helping to address that particular challenge, but the underlying theme that we run across a lot is the needs versus wants conversation. So Jesus, Marc, Jim would love to understand from you all in your experience, when does an organization typically realize that they have a need for a compliance partner? Jim, I see you're off mute. Maybe we'll start with you real quick.

Jim Goldman: Sure. There's an expression, money talks and BS walks, and I think that's actually what this comes down to. As much as we'd like to think that the motivation starts with wanting to do the right thing, that type of thing, more often than not, it's a compelling business event. So major contract, breakthrough contract, first international customer, first enterprise customer, that sale that could literally launch, let's use a SaaS company as an example, could literally launch their growth curve, launch the hockey stick part of their growth curve. It seems like more than not, that's what it is. It's a compelling event. Now, it may be a compelling business event or it may be a compelling regulatory event because all of a sudden either the industry that they're in or the government or the country in which or state in which they wish to do business has passed new regulations either on the security of privacy side. In my opinion, it's some type of compelling business or regulatory event.

Dan Katt: Yeah, that makes sense. Marc, I'm curious from your perspective, where do you see organizations realize they've got this need for a partner?

Marc Rubbinaccio: Yeah, I completely agree with Jim, and that's basically exactly what I was going to say as well. Really the need comes from either you're trying to acquire new business and these folks are doing their due diligence as part of their own information security programs, which require you as an organization to be able to prove that you have security measures in place or you're looking to spin up a service and that third party service provider won't help you spin up that service if you're not compliant. For PCI, for example, a lot of the times that comes with payment processing and these third parties that they're going to trust you with sending customer cardholder data, they need to prove that you are PCI DSS compliant. So in order to unlock that business, that's when you need to start looking into how to become compliant. What does it take to maintain that sort of thing. I would say 99% of our customers, if not a hundred, are in the business of using SecureFrame because they need to unlock new business or need to unlock a service that they're trying to use.

Dan Katt: Yeah, I think there's the ROI conversation of how far can I get with manual activity versus leveraging some of the automation capabilities within a GRC platform. Right. Jesus, when it comes to the needs versus wants conversation, I imagine you have a very unique perspective leading an auditor organization. I would say inside assurance is categorically in that needs section as you're delivering the opinion. What's your perspective on when organizations realize they need a compliance partner?

Jesus Jimenez: Yeah, absolutely. Like you mentioned, we are on the certification side of the attestation side of the house. So many times the organization will learn through their sales process or their sales cycle that, Hey, I need to be SOC 2 or HIPAA compliant. And they come to us during the discovery call, we start talking about the different areas that they need in order to be compliant. So hey, do you need a penetration test? You need your policies and procedures to be in place and disseminated across the organization. And then when we start having those discovery calls and we start educating that client, that's where the client realizes, hey, I might not have the expertise that is needed in order for us to achieve that certification. So that's when we as Insight Assurance, as an auditor, we'll tell them, " Hey, we're not able to write policies for you. However, we do have partners like Trava that is going to help you do the implementation, maintain your organizational controls throughout the process, that way you can come prepare for the audit." I think many companies realize and they have that concept of, hey, we want to bootstrap this on certification, and that's not always the best way to do it. You got to understand what is needed and whether you have the expertise because we see many companies that try to do it themselves and they don't do such a great job. So basically making an investment in a partner that is going to help you have a successful completion of whatever certification or attestation is definitely key.

Jim Goldman: Just to reinforce that, I've always felt that auditors like Jesus have the hardest job in this whole life cycle because many times potential customers start there and they say, " Oh yeah, we're ready. We're ready to go. We're ready to be audited." And it's" Hey, Susan," his associates that have to say, " Yeah, actually you're not ready at all."

Jesus Jimenez: And you got to make sure that when you're doing the process of vetting your partners, you chat with different audit firms, you chat with different partners because there's going to be some in the space, in the ecosystem that are going to tell you, " Yes, we'll take you through the certification." However, it doesn't do you any good to get a SOC 2 with an adverse or a qualified opinion, right? You have a partner that is going to help you, " Hey, let's try to get a clean report." I mean, even though getting an exception is not the end of the world, I mean, we always tell clients, " Hey, just use this as an learning opportunity." However, if you're just trying to cut costs and then you're going to get an adverse opinion whenever you get that SOC 2 or do the third party is not going to do you any good because they're going to see you don't have your ducks in a row if you want to call it. Right?

Jim Goldman: The cleaner the better. Absolutely.

Dan Katt: Yeah, absolutely. I couldn't agree more, cleaner the better, but I think you raised a couple of interesting points, Jesus, and I want to hear from the panels lists here. Every now and then we'll run into organizations that don't have a great understanding of the cause and effect that exists if they pursue certification or attestation too quickly without being ready. Maybe you can expand a bit on, hey, what are some of the unintended consequences that occur if you go pursue a certification or attestation without being ready? Can you talk to that a little bit Jesus?

Jesus Jimenez: Yeah, absolutely. I mean, you're going to see that either on the SOC 2 side, you're going to get a report. There isn't really any remediation that you can do, so at the end of the day, you're going to get a report. The results might not be as what you are expecting, but then when you're doing other types of certifications, let's say, or a type of certification like ISO 27001, you may get some major nonconformities that are not going to help you achieve that certification. You're going to have to do some major remediation on your side, and that's going to extend the time that you're expecting. So if the client that is expecting you to be certified within three, six months, whatever time it is, now you're going to have to go to them and tell them, " Hey, this is going to take a year because we're not ready yet." So you're probably going to have loss of revenue. You might lose partners as well because some partners might not want to trust the data in your environment because you don't have a secure environment and things like that.

Dan Katt: And those are great acute examples. Really appreciate you expanding on that Jesus. For the other panelists, Marc, Jim, in that same vein of are there specific indicators that you've seen when working with organizations that are making the decision? Is it the right time for us to bring in a compliance partner? Are there specific examples that you've had in your past that you can point to for the audience from a, oh, that sounds like me perspective?

Marc Rubbinaccio: I think that the clear indicator that additional partners are going to be needed is if it's that organization's first time going through an assessment. That's basically the initial flag, right? Jesus, I'm sure if you have a customer reach out to you and they're like, " Hey, we need SOC 2, never done it before." Then it's like, okay, well what does your internal compliance resources look like? If you don't have a strong internal compliance team that has done Soc 2 in the past at that point, it's pretty much required that you bring in some folks that can help you prepare for that assessment. I think one of the biggest issues that happen for folks that go into the assessment without being prepared is it takes longer and it costs more money for them in order to be fully compliant. So Jesus talked about how nonconformities happen. Maybe they're a big issue, maybe they're not, but let's say you had a timeline. If you get that audit done and then you have 50 items to remediate, that timeline is exponentially indefinite, so that could absolutely impact your ability to become compliant and when you should bring in additional resources. Jim, if you have anything to add?

Jim Goldman: Yeah, I mean I think Marc nailed it when he started with people. And there's an old expression, if everybody's in charge, then nobody's in charge. And so when you talk to an organization and there is nobody that is solely responsible for compliance, but they say, " Well, Bill's in charge of the engineering part and Mary's in charge of this other part, and a third person's in charge of this other part," that's not going to work well because all three of those people have other priorities, have other full- time jobs. So that's usually my biggest warning sign. I look at the organization first.

Dan Katt: That's a great point. The orchestration of a series of disparate activities that all in the aggregate support the business and obviously your compliance initiative. That's a great way to segue to when we think about vetting a compliance partner. If we've made the decision, hey, we're not prepared as an organization to take this on ourselves. We don't have the right expertise, the capacity, the capabilities. As an organization, what's the criteria that we should be considering when vetting a potential compliance partner, whether it's an advisory firm or a software technology or an auditor? Marc, I'd love to hear your perspective on that one.

Marc Rubbinaccio: Yeah, we do have a lot of customers that come to SecureFrame and they just don't know what they need. They know they need SOC 2, ISO, PCI DSS, but they don't know what are the other third parties that they need to entertain, what is the tooling that they need to implement. So what we do is we partner with audit firms like Insight Assurance, and all these audit partners, they have different criteria or capability or they're different in how they perform an assessment. So there are a couple key indicators that you need to determine as an organization what is important to you. Those things are time. How soon do you need to get an audit performed. Based on the auditor they may be backed up, they might not have the ability to perform that assessment within your timeframe. That's something that's important to be clear. Another thing is cost. If you have a strict budget, then that is going to limit the audit firms that you can bring on to perform an assessment. Some audit firms like Insight are very much more white glove support. They are there to be your partner instead of just... Some of these other firms that are cheaper in the industry that will just go ahead and perform an attestation and not be able to provide you the type of support that some other audit firms can provide for you. So I think there's a couple indicators there that you need to figure out before you go ahead and reach out to these firms, cost, time and then the amount of assistance that you need during this audit process. Are you looking for a full- fledged partner? Are you looking for somebody to just come in and sign on the dotted line?

Dan Katt: Appreciate that, Marc. Jesus, curious your perspective on this as well.

Jesus Jimenez: Yeah, absolutely. So one key area is, is the firm accredited or is it registered for SOC 2? Is the firm registered with the ASCPA? For ISO, is it an accredited, are you going to get an accredited certificate? Remember, there's firms that are doing ISO certifications that are not accredited. So for example, we are registered with, what is it? IAS, which is registered with the IAF, which is recognized worldwide where there are companies that yes, I can give you a certification, but it's not accredited. That's big because I mean, at the end of the day, if you're working with a firm that is not accredited or not registered, you're basically just buying a very expensive piece of paper, right? So yeah, so that's key. Another one is the expertise, right? Do they have the expertise to perform your SOC 2, ISO, PCI assessment and then are they used to working with compliance automation tools like SecureFrame? Because that's another thing they might say, " Yes, we'll use your GRC tool," but then they'll have you use the tool and then upload all of the evidence that it's already in SecureFrame into their internal tool or whatever it is they have, which pretty much kills the efficiency and the efficiency of the whole process. Because now you're doing double the work, that investment is going to take double the amount, and then you're basically losing the ROI on using that tool, that compliance automation tool.

Dan Katt: That makes so much sense. And so if I were just to roll this up, I heard capacity is a key variable, capability is a key variable, expertise is another key variable. Experience, which I'm going to say is different than expertise in this case is a key variable. One thing I didn't hear mentioned, Jim, and I'd love to hear your perspective because as an advisor, I think of the advisory firms really in the trenches with the client organization helping to build their program. How important is culture, a cultural fit in your advisory partner, audit partner, technology partner? Where does that fit into the equation?

Jim Goldman: I think that's important, but actually the nuanced point I was going to make was track record. I think when it comes to choosing an advisory firm, track record is everything. And what I mean by track record is what percent of the customers that that advisory firm brought to external audit, like with Insight Assurance what percent passed on their first time through and were there major findings? How clean were their reports? At the end of the day, that's really the true measure of the effectiveness to your point of the culture of the advisory team and the customer being able to work together most effectively. So to your question about culture, I think it's critical that the cultures match and a lot of the culture has to do on the customer side with how serious are they? Are they just looking for a checkbox, et cetera, or do they want to build a legitimate program? And so that's the match that we always look for.

Dan Katt: Makes sense. Yeah, no, it makes ton sense. Marc just come off mute. Did you have a comment to add?

Marc Rubbinaccio: Yeah. If we're tacking on just a few more things to look for when it comes to a consultant, advisor and also an auditor is... And then you mentioned culture, right? Is your industry or your vertical, right? Let's say you are in crypto or you are in healthcare, you want to make sure that these partners have worked with firms in a similar industry and they're familiar with that industry. That really helps when it comes to them understanding the specific requirements when it comes to all of these compliance efforts. And then also your environment. Let's say you are fully in the cloud, your hybrid, your totally on- premise, depending on the type of infrastructure that you're using, if it's fully managed Kubernetes, if it's all hard servers, mainframes, you'd want to make sure that your advisors, your auditors even are experienced with assessing and reviewing these types of technologies. That way you know you're getting the right expertise when you sign on these partners.

Jim Goldman: That's a really good point, Marc. What occurs to me is everybody knows and tosses around SOC 2, ISO 27001, PCI, et cetera, but many times customers have, and I'm speaking from my Salesforce experience, customers have more obscure certification requirements. There were three certifications we went through just for the German automotive industry.

Jesus Jimenez: Yep. No, that's a great point Jim and I was going to mention actually, is the firm or the consultant or the platform going to be able to adapt as you continue to grow? What are your goals within two years? Are you only doing SOC 2 this year, but then you're thinking about, hey, I want to do ISO, PCI, HIPAA. Is the organization going to be able to support those other frameworks? Because at the end of the day, the way we look at this and we look at all of our relationships is that we want do a long- term partnership. We don't want to do an audit and then just disappear from the whole relationship. So we want to say, " Hey, what are your goals longterm so we can continue to support you?" Whether it is inaudible NIST, ISO 42001, you want to make sure that you work with a partner that is going to be able to support you long- term rather than just one year.

Jim Goldman: Not to mention the whole privacy side of the house, GDPR, CCPA, CPRA, all these different state specific ones now.

Dan Katt: So with that thread, I think it makes a ton of sense on the different criteria that you need to think about when evaluating, what's the right technology, who are the right service partners that you want to work with as you go to Market to pursue your certification. We oftentimes run into the scenario of, well, how do I build a business case that is going to clearly articulate the upfront cost of buying technology or engaging in services? And oftentimes our customers have some challenges associated with that. Jim, you've led a GRC function and you've been on the buyer side of this type of scenario before. I'm really curious from your perspective, what do you see as some of the benefits of engaging with compliance advisors and auditors, and how do those roles differ once you've made the decision that, hey, we want to work with an outside party?

Jim Goldman: I think one of the, I'll call it mistakes or shortcomings in making this business decision about pursuing a certain certification or not is companies look for what I'll call immediate one- to- one payback. I need to fully recoup the cost of the investment to get this certification from this one contract or potential contract, and I think that's the wrong way to look at it. I think the more enlightened leaders look at, well, this is just the first of many potential contracts that we could get if we get this certification. So I've seen too much shortsightedness in terms of the decision making, and they're looking for just the ROI on this specific deal, and dependent on the size of the deal that's not always going to work out. Sometimes it does. I mean, I was on a call earlier today where a potential client has a chance at a half million dollar contract, but they need to be CMMC or DEFI certified. We can do that for way less. The ROI on that is clear in one contract, but that's not always the case.

Dan Katt: What about when it comes to the roles and the differences between an advisor and an auditor, how would you characterize those pieces? Jim, Marc, Jesus.

Marc Rubbinaccio: One thing I'd like to tag on just in terms of cost and how to actually picture how much you're spending on this entire engagement, it is like you're going into a project and you need resources on that project. You can hire somebody internally and that's clear what you're going to pay them a salary annually. And what we're doing is offering alternatives with advisory services and technology and with those who combined an audit is going to be required no matter what. But with advisory and technology, that's something that we consider an alternative to you bringing in a full- fledged team to handle all of this. So I just wanted to tack that on before we jump into the differences between advisory and audit.

Jim Goldman: I think that's a super important point, Marc because in our experience, it's not just trying to hire these people. More importantly, it's trying to retain them. We've had several customers that hired them. Then for whatever reasons, their one compliance person left and they then made the decision, we're done playing this game. We're not going to try to backfill this person with an FTE anymore because it's a revolving door.

Marc Rubbinaccio: I mean, we can go into the nuance. It's difficult to hire somebody in information security, especially if your team is not sure exactly what the skills are that this person needs, and then how do you retain that one person? Right? Then you have to worry about actually managing an employee, whereas with the advisory services, they're a partner of yours and you pay them to be a partner. They're involved in your environment and all the changes that are being made, and they're there like somebody that you can call at any time or take meetings with and it's a fantastic alternative.

Jim Goldman: But the partners have an entire bench of people with a variety of skills, so you're not dependent on this one employee that you were able to hire that supposedly now has to do everything.

Dan Katt: Great. Yeah, that's such a great point. I'm going to keep us moving along here. So when we think about working with an advisor, auditor or your technology partner, how do you ensure that this is going to be a productive and collaborative relationship? Do you all have any hacks around that piece?

Jim Goldman: I'll actually start. One thing it took us a while to figure out, but that we do now is there's an old expression, singing off the same sheet of music. And so what we did was we developed literally a graphical picture's worth a thousand words roadmap with milestones for the entire compliance engagement. And that way the client and the advisor and the auditor in many cases, the GRC platform as well, are all on the same page about how all the pieces fit together, what's going to happen month by month or quarter by quarter. And the nice thing is when you start the engagement, usually the customer has an idea that says, " Well, we need to be SOC 2 certified by this date," or our critical customer said, " We've got to have that ISO certificate on this date." And it's like, " Fine, we're going to work our way back from that." As simple and as obvious as it sounds that's probably been the single greatest thing that we've done to assure success.

Dan Katt: Jesus, what about from your perspective when working with an auditor, how do you really ensure a productive relationship as the client organization?

Jesus Jimenez: So I would say number one is to make sure that you have managers buy in, just to make sure that everyone in the organization understands what the goal is. Say, hey, the organization's goal to be SOC 2 compliant, and that's going to require people from HR people from different sides of the organization to understand that, hey, we're going to need to produce certain evidence. There's going to be some controls that are going to be in place and that they need to be maintained. Organization's going to this compliance effort I think is a one- time thing, and it's not something that you're going to have to keep or maintain for the future or the firm or the company. So making sure that everybody knows and is engaged in the process is very important. Whether, I mean, if you're working with a company with Trava, you want to make sure that people have the availability to work with them to produce the evidence that needs to be produced in order for it to be successful. Because the last thing you want is for us to come in, try to do our field work, do our testing, and then there is no evidence or people are not executing the controls. And that's going to be a challenge because you're going to end up with exceptions or issues. I mean, obviously on our side, we try to educate our clients as much as possible, work very closely with our consultants on our advisory partners and technology partners to make sure that at the end of the day it's a successful process. However, it does require that the company understands that, hey, it is not just a one person journey, is like everybody as a company working together to be compliant with whatever framework you choose.

Dan Katt: That makes so much sense. And I think what you just covered are some of the critical steps as you prepare for an engagement with an auditor or an advisory firm or onboarding technology. For the group here, what are some of the common challenges or pitfalls that you've seen organizations face when selecting a compliance partner? And it's a two- part question. What would you advise them on on ways to overcome those challenges? Jim, question to you.

Jim Goldman: Well, I love to turn a question around and not answer it because where I thought you were going was, okay, you've selected the compliance partner and what are the challenges that you most commonly see in the engagement? And that usually has to do with the customer thinks they're going to have the time to give to this project, and it really is a high priority, and then it's like one thing after another. " Oh, sorry, this happened. I have to cancel this meeting. Sorry, have to cancel that meeting." And then all of a sudden that roadmap that we're talking about starts to slide. So that's the thing that we find most commonly. And how do you fix it? Open, honest communication. " Okay. Is it still a priority?" " Yes." " Okay. Clearly what we're doing is not working. Do you agree?" " Yes." " Okay. What do we have to change?"

Marc Rubbinaccio: And to back that up, Jim, I think one good solution for that would be to have the right partners as well. All of our customers, they onboard and they're like, " Yeah, we need SOC 2 as soon as possible." We know it's not going to happen. Things happen. They're building. These organizations are building software. They have a business that they need to run. What it's our job as their compliance partners is to make sure that they're on track for their reasonable goals. If they're using the right advisors, they're using the right technology, they have a platform in which they can organize all of their evidence. The advisors will help them prioritize what evidence should be focused on first, what their roadmap should look like based on a reasonable timeline. And if that gets pushed, then the partners can determine, okay, what is a realistic timeline at this point? And then working with the auditors, making sure that these companies are ready enough to bring in those auditors at that right time for then the auditors to begin the assessment, have open communication about what is still outstanding, and then this is how we as partners, Trava, Insight, we've streamlined this whole compliance journey by being such good partners together and working with our customers in that way where we're all in open communication.

Jim Goldman: I think you really nailed it, Marc. One of the first and most important jobs we do, even on initial engagement, is usually talking to the customer down off the ceiling because they are literally freaking out when we first talk to them. And it's almost like what we do in our process mimics the way the SecureFrame platform is put together. So we say, " Okay, nevermind the controls, we'll get to that later. We're only going to focus on policies right now. Let's talk about policies. Let's talk about one policy this week." That's how you start.

Dan Katt: Jesus, what's your perspective on it?

Jesus Jimenez: I was going to say, so obviously we have good partners here on this call. You want to make sure that when you're doing that selection, that you're not only focusing on choosing the lowest cost partner. That happens a lot when companies start interviewing different partners and all they focus on is on the dollar sign. Hey, how much is this going to cost me? I just want to go with the lowest provider. And I think that's the wrong way to look at things. You want to look at value, the quality, the expertise that the partner is going to bring you. Not every partner with the lowest cost is going to come and sit down with you. Jim just mentioned, " Hey, I want to understand your environment, your culture, your policies and procedures." A lot of them are just going to be like, " Hey, here's a set of policies. There you go." Without even understanding what the partner is going to be. Same on the technology side, does the software has enough integrations to make sure that you are successful? So I think spending your time during the selection process is key to make sure that your partner has those meaningful conversations with you down the road to be able to achieve that success when it comes to that compliance journey that you're getting into.

Dan Katt: Yeah, I couldn't agree more there. These decisions are not made in a vacuum, and oftentimes when we work with customers, they're entering the conversation via different on- ramps. So sometimes we will be referred an organization from Jesus. Other times it's coming from Marc. But I think one thing that is always important to keep in mind, especially as we start to pivot the conversation towards continuous monitoring and maintaining your program, is the role in which tools and technology play in supporting your compliance efforts. And I'm not going to ask Marc, because you're coming from a technology organization, but Jesus, Jim, I would love to understand from you, what role do those tools and technologies play in supporting the compliance effort and how do organizations go about selecting the right ones? Jim, you're on mute right now.

Jim Goldman: I'm happy to go first because I've been in this game a long time. And by that I mean before any of these GRC tools existed. And so the way we used to have to do this was everything was kept in file folders, maybe not even electronic, maybe in literally a file cabinet and everything was organized in spreadsheets. We'd collect emails, and when it came audit time, pretty much the company would stop for two weeks because everybody in the company had to be interviewed in order to give the answers to the questions and provide the evidence. It was so disruptive, and if you look at the salary of the people that you're stopping, et cetera, et cetera, so darn expensive. And so I mean, the cost benefit of these GRC platforms is just incredible. If you look at it only as software and you don't appreciate what it costs in terms of real dollars to do it without a GRC platform, you're going to miss the whole point.

Dan Katt: Makes sense. Jesus, anything to add to that?

Jesus Jimenez: Yeah, I mean, absolutely. So I've been in the industry for about 15 years, used to do these type of audits with big four. So like Jim mentioned, it took us a couple of weeks to be on site, interview different people, use the spreadsheets. So the process was very inefficient. So when we started Insight Assurance, we started it because we saw the birth of these technology compliance automation and how we could make audits more efficient. So obviously bringing technology to your audit is just going to make it extremely efficient. It's going to allow the auditor to focus on the key areas and to stop just spending so much time in the back and forth just like, " Hey, is this piece of evidence okay or not okay?" It is more like, " Hey, what are the risks, the riskier areas of the audit? Let's focus on those." And then all of the other evidence, it will be on the platform already. So I think it has been a game changer. It is something that helps us make our audits very efficient and provide value and quality to our clients. Then on the same token for the consulting partner, it is also a lot easier for them to maintain the security program because remember, like I mentioned earlier, it's not only about achieving compliance, about maintaining that compliance long term. So that helps us maintain that compliance and if they have any questions, as the company continues to evolve, we're always chatting and having conversations with them even if we're not in the middle of field work.

Jim Goldman: So I think that last point you made is incredibly important, and I failed to mention it before. So yes, the time you save in getting the audit done, that once a year audit done, the time and money you save there is great. The bigger benefit, quite truthfully is the maintenance and the continuous compliance. So you don't want to be compliant just once a year at audit time. You want to be compliant all year long. You want to have continuous compliance, continuous monitoring. You never want to drop the ball in any of your control families at any time during the year. That's what the platform does for you because it's got that built- in project management that says, " Hey, it's time to do your quarterly access reviews," et cetera.

Dan Katt: So with that in mind, I think we're always trying to provide some additional value to our client organizations and our participants here. I am curious from the panelists here, what do you see as some of the common challenges that organizations face after the initial audit with that monitoring, the continuous monitoring and the maintenance of your program, regardless of the framework?

Marc Rubbinaccio: Yeah, I can kick us off. I think one of the biggest things I noticed is after the audit, the organization forgets about compliance until the following year. Jim, you touched on it, right? It's like you don't want to be compliant just once throughout the year. You need to maintain a lot of these controls throughout the year, firewall reviews, access reviews, personnel completing their policy acknowledgement, security, training all this stuff. There's a lot that goes into it throughout the year, and if that effort to become compliant was so stressful and so annoying, then you really as an organization don't want to think about it throughout the year. And what I've noticed is a lot of companies will take that literally, and then their next year assessment is just as hard as the initial assessment. So actually investing in this tooling where you are able to monitor all of these requirements throughout the year, you're getting notifications when you need to complete things. You're completing things in a bite- sized way throughout the year. The next assessment is going to be an absolute breeze, and I'm sure Jesus would appreciate that very much when you come prepared with all the evidence you need during that assessment.

Dan Katt: Jesus, what's your perspective on that as the auditor leveraging technology?

Jesus Jimenez: Yeah, absolutely. So making sure that they maintain their controls after the end of the period is key. So one of the things that we do at the end of the audit is to do that education with the client and tell them, " Hey, you need to continue to maintain this controls that happen on a monthly, quarterly, annual basis." It's not about just doing your quota review once because you're doing an audit. Now, typically, let's talk about SOC 2, right now most companies that are getting their first SOC 2 are doing like a three or six month examination period. After that first audit, you're going to go to a 12 month period. Hopefully that's what your partners or your third parties want to see that your controls are operating effectively for 12 months. So we want to do that education on making sure, hey, those access reviews that you're doing quarterly have to happen every quarter. We do sample selections, and that's fine. And you might get lucky that if you miss a quarter and we randomly selected a different quarter, you might get lucky there, but obviously we want to make sure that you maintain that for the next 12 months. So yeah, I mean, it's absolutely needed and necessary to maintain compliance.

Jim Goldman: The other thing that can wreak havoc with this is employee turnover. So Joe who was in charge of this control family left, maybe they didn't get backfilled, but didn't get backfilled quickly. If there's no platform to monitor, to raise alarms to say, " Hey, you just went from a hundred percent compliant to 80% compliant, and there isn't visibility to that," that can be a real problem.

Dan Katt: Yeah, I think the redundancy piece that these technologies offer like a SecureFrame offers with its notifications-

Jim Goldman: The visibility part. Yeah.

Dan Katt: Exactly.

Jim Goldman: Broad visibility as to how compliant we are at this point in time.

Dan Katt: Yeah.

Jesus Jimenez: One thing that I forgot to mention, my apologies, Dan, is obviously from the auditor's perspective, when you are choosing, let's say a low cost provider, they're going to focus on you just during the audit. They might not have any support system after the audit. So you want to partner also with an auditor that is going to be available for you as your organization evolves. Because you're going to see organizations that, hey, we're using AWS and for whatever reason we're moving into GCP. How is that going to affect your next audit? And you need to make sure that that auditor that you're working with or that consultant advisor that you're working with is available for you, not just for the time that you're doing audit, but afterwards. So you got to make sure that you ask those questions during your interview or discovery process.

Jim Goldman: Well, another good example, Jesus is, hey, the 2022 ISO 27001 standard is coming out. I'm currently certified to 2013. What's that mean for me?

Jesus Jimenez: Exactly. What are the deadlines to be able go to the next one? Because you may lose your certification of your act in time. Right?

Dan Katt: No, that's a great point. And before we pivot over to the Q& A portion, let's talk about future trends. And I love the segue here because we been talking about these are the things you need to be thinking about with potential changes to your organization. But if we roll it up a level, are there any upcoming regulatory changes or industry developments that businesses should be aware of that are going to impact their compliance requirements? I think AI is a big topic out there, but for the panelists, any perspectives on upcoming changes that our audience should be aware of?

Marc Rubbinaccio: Generally, I think any frameworks that you're adhering to, you should maintain some sort of information gathering on just making sure that you are staying up to date with any of these regulatory changes. PCI DSS, for example, is going through its 4. 0 change, which is one of the biggest changes it's gone through in quite some time. And because of that, there are requirements that were put in place in 2024. Now, there are requirements that need to be in place in 2025. And like Jesus was saying, some of these changes are incredibly critical and could impact your environment significantly. So if you have a great partner that understands what these changes are, they can help you implement these well prior to the requirement date. There are other regulations out there that are going to be in place and going to impact some folks. Things like the EU AI regulation is coming out, Eudora is going to be in place fairly soon, impacts all financial regulations in the European Union. So there are plenty changes and new frameworks that are always going out.

Jim Goldman: Yeah, I would add too, once more of an elaboration on something, Marc mentioned one, the whole thing about AI, very scary. It scares everybody. A lot of people are putting it into their software, but their savvy customers, their larger customers are going to say, " Well, I need to know more about how you implemented the AI portion of your software. I want to see a risk assessment report." There are two standards, if you will, one's the NIST AI risk management framework. So you could be assessed against that. Perhaps more importantly, there's an ISO 42001 standard to which you can get certified, which is awesome, and ISO does a great job of risk management. The second area is if you have any intent of selling your software, your product to the US Federal Government or the Department of Defense, it's been years and this thing called CMMC continues to be evolved and defined, and supposedly in the next 30 days to couple months, that's going to get defined. That's really going to shake things up. Because I think a lot of companies who want to sell their software and services to the Department of Defense have been waiting on the sidelines to see how it gets settled. It's about to be settled.

Jesus Jimenez: And going back to AI. So I mean, everybody wants to know about AI, wants to have some AI into their tools. And even though, at least in the US you don't have any regulations at the moment or anything that's telling you, " Hey, you have to have an ISO 42001 certification." A lot of your clients are going to require it just like how they require SOC 2. There's some sort of AI component within your tool. You are having some LMM within your tool. They're going to be interested in seeing how the security around it, how's their data protected? Are you using their data in order to feed or teach your AI? So basically you want to make sure that you start having those conversations, start talking to your different partners and start working towards those certifications that it might not be required right now, but it might be required in a year or two when your customers start learning about it and getting informed of some of the risks that AI bring to the table. And it is not scary. I mean, I think AI is great. We use it on our audit processes to make it more efficient, but we definitely want to make sure that, hey, what are you using it for? Is the client comfortable and is the information still secure? And another trend that I wanted to mention is, so we've seen SMB and mid- size organizations using compliance automation for some time now. For a few years now, we're seeing enterprise clients saying, " Hey, how can I use compliance automation to make my audits more efficient?" And for example, so the larger the organization is, the more likely that they have several frameworks or regulations that they have to be compliant with. So we're getting a ton of questions for larger organizations coming to us and saying, " Hey, we want to use a product like SecureFrame in order to get our SOC 2, HIPAA, PCI requirements done without having to have three different audits, three different auditors." And Legacy GRC tools that typically do not have any sort of automation, which makes the process very manual for them. So that's another trend that we're seeing quite a bit this larger, just trying to use those tools.

Dan Katt: Yeah, that's a great call out, Jesus. I appreciate that. And as we pivot away from the prepared discussion topics, the Q& A section, I see that we don't have any questions from the audience. So I'm going to ask a question on behalf of the audience. This is one that we get fairly often, and it'll be a fun one because we've got a technology company, an advisor, and an auditor. So here's the question that we tend to get asked fairly often. When I'm starting my search for a compliance partner, who do I start with? Is it the advisor? Is it the auditor? Is it the technology? What's the most ideal situation? All right, grenade is thrown out there. I'll let you three battle it out. No, I'm kidding. But I would be curious, what are your perspectives?

Jim Goldman: Is there a right answer? I don't know if there's a right answer.

Dan Katt: Let's hear it. I was going to say, yeah.

Jim Goldman: Because I've seen it from all angles. I've seen it from customers that have already bought their GRC platform and now need help, right? We've seen it where somebody, for whatever reason, went to an auditor first, and the auditor said, " Well, it's a conflict of interest for us to be consultants. So you really need to hire an advisor first." And I'm sure Marc has seen where people are talking to him about the platform and they say, " So you're going to be our consultants too, right?"

Jesus Jimenez: Yeah, I couldn't agree more. Right? So there isn't a right answer. I just think about is what's really important is for the company to be proactive and not come in the last minute trying to be compliant with whatever framework, whatever regulation it is. We see very often where companies say, " Hey, I need to be SOC 2 compliant or ISO certified within two months or-"

Jim Goldman: Next week.

Jesus Jimenez: Next week. Yeah, exactly. And that's not doable. You're probably going to have to use an auditor that's just going to check the box. Probably a consultant that is just going to give you a inaudible that are not even in line with your organization. Yeah, I mean, absolutely. It's all about timing, in my opinion.

Dan Katt: Yeah, I think what I've learned from the discussion today, it's all about timing. It's all about selecting a partner that's going to support you, where you're at, and where you tend to go, and leveraging technology to accelerate your journey to audit readiness, certification, and then maintaining the program longterm. So it's a bit of a fun question to end on. Appreciate everyone's participation.

Jim Goldman: Yeah, thank you for the curveball, Dan.

Dan Katt: Yeah, well, it wouldn't be a live panel if I didn't throw a curveball out there, but I think we're at time.

Jim Goldman: Yeah, we are.

Dan Katt: So I appreciate everyone's participation this morning. Thanks to our audience for joining us. Please feel free to reach out with any additional questions. Again, Marc, Jim, Jesus, really appreciate your time this morning.