Cracking the Code to Compliance Management

Adam Shnider jpg

Adam Shnider

EVP, Assessment Services, Coalfire

September 26, 2023
C87a3ccc a9fc 4a84 823b 33d262acd8dd Coalfire Main Image Blog Cracking The Code 800x420 FINAL

Based on recent research and findings from Coalfire’s 2023 Compliance Report, the second blog in this series outlines compliance program management and performance priorities for CISOs and compliance leaders.

Key takeaways:

  • To support business growth, CISOs are under pressure to leverage and monetize multiple frameworks.
  • To achieve a competitive advantage, decision-makers need to embrace the concept of the mission-critical lifecycle of compliance disciplines: preparation, assessment, maintenance, and expansion.

According to Coalfire’s 2023 Compliance Report, compliance operations are becoming more complex, costs are on the rise, and corporate leadership is demanding greater efficiencies. Of those IT and security executives surveyed, 84% are impacted by mandatory data protection regulations, and 70% manage at least six frameworks. With these growing pressures on top of an expanding attack surface, expectations for the CISO are increasing dramatically.

In the first blog in this series, we outlined compliance challenges and made the case that automation, informed by human intelligence, is the solution. However, at least 25% of enterprise security programs haven’t even started to plan for new regulations and framework revisions, and 56% saw higher compliance management costs despite the use of automation built by product companies.

From the results of Coalfire’s report and real-world experience with our customers, we recommend that compliance leaders assess their situations, choose appropriate automation strategies that are tailored to compliance outcomes, and prepare for multi-framework compliance operations by following these four essential steps:

Step 1: Prepare

Compliance leaders spend a lot of time preparing for assessments and audits. With every situation, they are asked to provide information to demonstrate compliance. But in multi-framework, multi-cloud environments, that information doesn’t always translate in the same platform, format, and approach.

As a result, programs often take on the extra burden of re-factoring all the hard work collected throughout the year to make it usable for different assessors. With this in mind, we advise clients to ensure they have implemented all controls, managed the requirements across all relevant frameworks, and made them as repeatable as possible.

Preparation is the critical first step, where compliance teams should lift the hood to inspect the final evidence and validate that it’s ready to be shared with the assessor to start the assessment.

Many SaaS solutions skip this step and go straight into loading a high volume of data into generic controls without first checking that the compliance team has reviewed the evidence and adequately prepared for the audit.

Skipping this step creates additional crunch time and burden on both the compliance team and the assessor because the information isn’t freely available to get started quickly.

Step 2: Assess

Now that the compliance team has validated that all artifacts align with the controls, it’s time to kick off the assessment. Start with an initial conversation with the assessor to discuss the data and artifact requests and decide how data will be shared with the assessor through a document repository.

The assessor’s collection repository may not be mapped to anything you have done or prepared for, requiring you to pull out the secret decoder ring — namely, the records you’ve built over the years to produce the right evidence for the requests.

But what if that decoder ring has changed? Or the framework is different, or your assessor changed their methodology? Inevitably, you’ll spend more time and energy making the transition from all your preparation to getting the right information to your assessor.

With an integrated solution that you and your assessor are both using, the headache of mapping and spending time decoding the requests from your system of record to the assessor's requests and document repository can be eliminated.

There are two key elements to a seamless assessment:

  1. The assessor should consume the information in the same format and system that you maintain and prepare for assessments.
  2. Your platform for managing your compliance program and assessor should leverage common controls across multiple frameworks and multiple environments to limit duplicate efforts to collect and provide evidence.


Step 3: Maintain

Regardless of specific guidelines, the organization is still responsible for security and regulatory adherence. Many frameworks require continuous monitoring after the assessment is complete to meet that adherence. Organizations can struggle with this step due to the dynamic nature of the environments, engineering teams, and business changes.

A new wave of security standards is emerging. While more than 70% of those surveyed are preparing for significant migrations over the next 18 months, many organizations remain under-prepared for this impending series of transitions and deadlines emanating from governing bodies. Boards are wary of the risks and are now tying compliance spend to better assurance and better business outcomes. This requires continuous technical review and program maintenance visibility for directors and officers.

However, the competing priority of reducing budgets and limiting spend makes it more difficult to keep up with the regulatory changes without the proper platform to organize and monitor the controls, artifacts, and configurations that exist within the environment.

Step 4: Expand

It’s happening more often: the CISO gets a call from the sales team – they’ve identified a new market and need a quick answer on how much time and effort it will take to assess the applicable framework.

If their platform is unable to leverage the compliance work the team has already put into other regimes, they’ll be left without an immediate response on the overall level of effort required and an actionable roadmap to help support the business request—limiting the time for new market entry.

As businesses venture into new markets, their compliance programs must continually adapt. This evolution is crucial to facilitate swifter progress and meet shifting expectations without the need to recruit a team of compliance specialists for every emerging framework.

In the compliance report foreword, Prashant Vadlamudi, Cisco’s Global Head of Cloud Compliance, sums it up succinctly: “We used to think of compliance as a necessary evil – get the auditors what they need, check the boxes, and move on. Today, compliance has evolved into a business enabler that arms sales teams not only with proof of certification, but also with the ability to demonstrate a company’s security advantage over its competitors. With the marriage of standards regimes and security automation, compliance has finally emerged from burden to business enabler.”

AI for compliance

As you look for ways to drive visibility and efficiency in your compliance program, a platform solution should be on your list to explore. An effective tech-enabled compliance management approach meets you where you are and, ideally, scales with your business.

The reality is that most compliance solutions offer either professional services that perform some variety of assessments or a product company that offers an automation tool – but it’s rare to find both in one solution that can bring “Actual Intelligence” (AI) to your compliance program that combines both human intelligence and automation in one compliance management solution.

To take it a step further, many products on the market don’t provide evidence mapping across frameworks as a standard feature, or they use off-the-shelf mappings from third-party data sources that are not based on a real-world assessment experience.

The real power lies in compliance security experts leveraging their intelligence to continually improve the mappings and evidence requirements and automating configuration reviews directly into a platform for managing the overall compliance program.

The key is to blend deep, real-world experience, human intelligence, automation, and risk management expertise into a platform to produce the ability to map, assess, test, and then replicate and certify many times across a variety of regulatory environments without spending more money or hiring teams for every new framework. Compliance Essentials was built using over 20 years and millions of hours of assessments to solve the challenges facing organizations in the market today.

One of the top concerns derived from our research is that companies aren’t seeing the savings they expected from their compliance automation platform due to inadequate and incomplete evidence mappings that don’t take the full lifecycle of compliance into consideration.

In the next blog in this series, we’ll examine the limitations of existing compliance automation solutions to aligning evidence mapping with multi-framework audit requirements.