Information is the backbone of companies today, and the needs for organizations to protect their customers’ and their corporate data is greater than ever. Last year, security and compliance professionals had to quickly evolve their approach to address new threats and risks during the COVID-19 pandemic. The measures designed to safeguard the physical office environment became obsolete overnight when companies had to send millions of workers home.
At the same time, the cost of making errors has risen. Last year, privacy regulators issued a record number of fines for GDPR violations to companies that failed to keep their customers’ data safe. Additionally, US agencies and corporations were being targeted by significant coordinated cyberattacks believed to be the work of foreign state actors.
Now, organizations cannot simply claim they’re secure or compliant. More and more of them are spending dollars and time administering a risk management system such as SOC 2, ISO 27001, or NIST SP 800-53 to demonstrate strong security. They must prove to customers and partners that they’re worthy of trust by collecting large amounts of evidence of their infosec efforts and undergoing multiple information security/data privacy audits each year.
SourceForge talked in depth with Craig Unger, Founder and CEO of Hyperproof, to discuss how companies can stay ahead of the fines and cyber attacks, adapting from reactive, ad hoc compliance management to staying continuously compliant and protected throughout the year. In addition, we’ll draw on his expertise to give you some actionable ways to transform your IT risk management program from reactive to proactive.
Can you talk a bit about the company’s history? Who was involved and how did it get started?
Hyperproof officially started in 2018, but its story begins years ago with my work at Microsoft. In one of my roles there, I was tasked with developing Microsoft Passport, one of their largest and most critical cloud services. However, due to objections made on the claims of our service’s security, independent organizations filed a complaint with the Federal Trade Commission (FTC) to investigate Microsoft.
After almost a year, Microsoft and the FTC agreed to a set of remedies that included intense and comprehensive auditing of Passport services. These audits were so disruptive that they effectively halted all progress on our product development efforts.
When I left Microsoft to co-found Azuqua, a company working in cloud and integration workflow, I once again was faced with compliance challenges. First, we were barraged by complex spreadsheets and questionnaires relating to how we designed, built, and operated our services. After filling out the 200-question reports dozens of times, our startup of about 20 employees began pursuing SOC 2 Type 1, SOC 2 Type 2, and eventually GDPR certifications—which also took a lot of dedicated time to complete.
After I finished my work there, I reflected on how whether it was a huge company like Microsoft or a startup like Azuqua, the approach to compliance was the same: a hodgepodge of tools centered around emails and spreadsheets. The process was manual, error-prone, redundant and universally reviled. It seemed clear there must be a better way. In essence, Hyperproof was born out of my experience with the same struggles many compliance managers still face today.
What’s Hyperproof’s core mission? What big challenge keeps security assurance professionals up at night?
As mentioned earlier, the vast majority of the security compliance work is done manually—with ad-hoc tools like spreadsheets, email, cloud-based file storage systems. Hyperproof’s December 2020 survey of 1,029 IT compliance professionals found that a full half of respondents spend 50% or more of their work time on low-level administrative tasks leaving little time for other important work. Security and compliance professionals spend so much of their time on basic tasks (e.g. gathering evidence that security policies and procedures are followed) just to get a good score from their auditor. Many security assurance teams do their best to prepare for the audit until they pass it, but afterwards pay less attention.
Many organizations don’t have real-time visibility into their security posture, and they don’t have time to proactively address the issues that can lead to costly security & compliance incidents.
From this, it’s no surprise that we also found 61% of respondents had experienced at least one security incident or compliance lapse in the last three years. Those lapses resulted in the losses of millions of dollars.
Customers and partners know this, so they often won’t do business with entities that haven’t proven their security and compliance through certifications or audits. This alone is enough to keep many security professionals up at night as they try to figure out how to handle so many moving pieces with inefficient methods.
This leads us to our core mission: we want to make it easy for organizations to prove to their customers, shareholders and partners that they’re taking security, data privacy and compliance seriously, and to do the work required to mitigate risks on a continuous basis.
What makes Hyperproof different from other GRC tools?
Although GRC tools have existed for over a decade, most were based on risk tracking and/or policy management. The GRC category of software was also born at a time when cybersecurity and data privacy regulations were less of a burden on information-based businesses than they are now. Fast forward to 2021, it’s not unusual for a mid-size organization to have hundreds of business applications and processes that affect the security of information. They weren’t built for the tasks today’s security assurance and compliance professionals must tackle. Today’s compliance professionals need to collect proof of security controls from many more places and people than they’ve had to in the past. Specifically, most GRC tools aren’t meant to help organizations with collecting and managing evidence on a continuous basis—a highly tedious, yet necessary task for maintaining a solid security posture. Further, they’re often not intuitive to use and thus require a lot of training before people are comfortable on the platform. When you have so many stakeholders who need to be involved, having a tool that’s easy to adopt and learn and use is a must.
On the other hand, compliance operations software like Hyperproof is specifically built for today, when protecting information—and your ability to prove you can protect that information—has become paramount to business success. We’ve built our product based on the feedback of compliance professionals at every level. Our platform was designed with a “continuous compliance” approach in mind. We believe that to mitigate risks on a continuous basis, organizations need to re-assess their risks often and ensure that they have a set of controls implemented and operating effectively to mitigate those risks. Risks change all the time, so your organization’s controls have to keep up. Hyperproof’s compliance operations platform makes it easy for security and assurance teams to understand the current state of compliance, identify and plan out what they need to do next. It helps people get work done efficiently, in iterations; it also helps people measure how they’re doing and identify areas of improvement. We believe that by taking this iterative, agile and proactive approach, organizations become much better protected than otherwise.
A company that wants to get better at managing their IT risks proactively, what should they do to evolve towards a more proactive, disciplined approach?
When organizations use multiple, disconnected tools to manage their risk, collecting critical compliance and risk information is incredibly difficult and tedious. As such, organizations often have a limited understanding of how well existing risks are managed and have a limited capacity to detect when a control meant to mitigate a certain risk has failed or hasn’t been implemented effectively. In fact, close to 70% of surveyed IT security assurance professionals do not have a monitoring system in place to check whether controls designed around their organization’s specific risks are operating properly or not. This means when a compliance or security lapse occurs, the companies are left doing damage control. Luckily, there are ways to manage your IT risks proactively.
Break down information silos across IT risk management processes
Connecting where all the information is stored across the IT management processes—so that risks, security requirements, and the state of existing internal controls can be well understood—is the first step to managing risks in a proactive way. For example, in Hyperproof all of your company’s risks, control objectives and requirements, controls, and compliance artifacts can be documented and mapped to each other.
Break down work into small increments and work iteratively
Compliance work can feel really intimidating if you think about everything that needs to be done all at once. But if you take a pragmatic and incremental approach, the work becomes much more manageable. A pragmatic approach is one that starts with your organization’s business needs in mind. For instance, what are the most critical risks within your business that need to be mitigated? Which risks need better mitigation controls? What’s the next audit that’s coming up? Is there a new security regulation or standard your business has to become compliant with in the coming months?
Knowing your current state and your business priorities, you can start to set realistic, achievable milestones and identify the most important set of tasks that need to be completed in the near term.
Define a process for collecting and reviewing evidence.
One of the most important parts of compliance operations is evidence collection. Evidence needs to stay up to date and be accessible so you can assess whether the controls you’ve implemented are functioning properly. Additionally, in order to pass an independent audit, you’ll need to supply your auditors with the correct compliance artifacts.
By having a clearly defined process for collecting and reviewing evidence, you can save a significant amount of time, money, and frustration and minimize the risk of control failures.
When defining your evidence collection process, it’s important to consider the following:
- Evidence should be mapped to controls
- What types of evidence are needed to test whether this control is functional?
- What’s the appropriate frequency for collecting that evidence?
- How long do I consider the evidence to be “fresh” or valid?
- What IT/business system does the evidence reside in?
- Who is responsible for submitting the evidence?
- Who needs to review that evidence?
By keeping all this contextual information alongside each piece of evidence in a system of record, you can easily reference this information for future audits, saving time and money.
Automate processes to make them more efficient (and support a more efficient compliance operation environment for the entire organization)
Many repetitive, administrative tasks like collecting and updating evidence give little time for more important tasks aimed at improving security and resiliency. Tasks like testing controls on high risk areas, or talking to business units to understand what’s changing and how that affects risks cannot be done properly if there’s not enough time.
Further, at the control level, one can become “over-controlled” when trying to meet multiple different but similar framework requirements. This issue has driven the move towards unified control frameworks, and automation can help us achieve it in light of new or changing requirements.
Have a reporting and monitoring system in place to support ongoing improvements
Security assurance/IT compliance work is an ongoing, iterative process. Controls can quickly become obsolete as changes occur in the organization , such as when a new IT system is implemented. To achieve continuous compliance operations, every organization needs to have a reporting and monitoring system to provide real-time insight into the status of controls, risks, audits, and automatic flagging of issues that demand attention.
For example, one report should help identify which controls need review due to evidence that is overdue to be updated. You should have an easy way to see which security objectives aren’t met yet because it has controls which still need to be defined or implemented. Lastly, it is important to have a way to track which tasks need to be done so that everyone involved knows what needs to be done next.
Make Iterative Improvements
Infosec compliance work is never done. As your organization grows, you’ll face new compliance requirements and new risks that need to be mitigated. It’s important to look at your compliance program as a living entity and make incremental improvements on a continuous basis.
For more information on improving risk and compliance operations, check out our blog posts and resource library.
About Hyperproof
Sales teams have Salesforce, HR has Workday, and Engineering has a variety of DevOp tools to efficiently execute their work. It’s time security assurance and compliance teams got their own platform for managing daily compliance operations—a place for making project plans, getting work done, tracking progress, and identifying areas for improvement.
Hyperproof makes building out and managing your information security frameworks easy by automating repetitive compliance operation tasks so your team can focus on the bigger things. The Hyperproof solution also offers powerful collaboration features that make it easy for your team to coordinate efforts, collect evidence, and work directly with auditors in a single interface. Gone are the days of uncertainty around the audit preparation and compliance management process. With Hyperproof, you get a holistic view of your compliance programs with progress tracking, program health monitoring, and risk management.
Related Categories