Sign In

Insights

Deciphering integrations and automation in SaaS IT compliance tools

Your organization is unique. Different organizations are at different stages of IT security maturity, and a one size fits all ‘integration’ may not make sense. The controls you have in place and the tools you use to meet them fit the reality of your business today. Many IT compliance service providers claim that automations and integrations will save the day. What do they mean and are they really as time saving as they claim? How does one separate the wheat from the chaff when it comes to figuring out what is useful and what is smoke and mirrors? Let’s break this down for you.

Integrations 

In the IT compliance SaaS space, integration refers to the ability of a product to seamlessly integrate with other services to generate audit evidence. Think about where most of your documents live: on a Google Drive? SharePoint? Confluence? In an HR system? In the settings of another SaaS or PaaS provider? If a document lives in one place, it can be automatically collected through an integration. The first time that evidence is collected, a ‘link’ needs to be established. This link makes evidence collection more efficient in the future.

The biggest complaint about collecting audit evidence is how tedious and manual the process is. Integration lends itself well to an automated solution. This form of automation can not only reduce the number of manual tasks, but can also ensure the timeliness of evidence collection activities. However, the reality is that integration only solves for a fraction of the labor required to pass an audit

Automations 

Automation assumes that you have the exact products that your compliance solution provider connects to. The connection is intended to go into a system and pull out the evidence needed. In other words, it refers to taking a manual task and converting it into a repeatable, automated process. While a handful of audit evidence can be collected with the push of a button, this is only handy if the evidence you are required to provide is available on a system that the compliance solution provider has integrated with that allows the flexibility you need for your unique set of business operations. If your IT security processes are not performed on that handful of external products, you have essentially signed yourself up for a pricey and useless solution.

A word of caution

Compliance is achieved when an approved assessor or auditor is comfortable with the company defined security processes. Technology can be a powerful enabler for people and processes. However, computing systems with only integrations and narrow automations may not be the most productive tools. It is a fallacy to think that automation entirely solves the complexity of common audit evidence requirements. Human judgment will always be required to meet compliance and audit objectives.

The value of integrated automation may not be immediately apparent in startups or smaller companies. Technologies are constantly changing and today’s integration may not be the same tomorrow. Implementing a cyber security compliance SaaS with deep systems integrations for a broad possibility of automations may be valuable. However, incorporating manual checks and balances, and using a bit of common sense can be just as efficient as adopting and managing another systems integration tool.

Consider “adaptive” compliance

When selecting a compliance provider, consider one that is best suited to your organization. It is inevitable that your IT security practice will change and evolve, and a system that can adapt to changes is foundational. Consider a flexible technology that can grow with you and focus on automating only the most appropriate compliance tasks. While automations and integrations can be valuable, adaptability is the most critical criteria when measuring compliance platforms. Adaptive compliance allows organizations to appropriately incorporate new risks, custom controls and various evidence requirements, and takes changing compliance requirements into consideration. For example, instead of waiting on a compliance system to support a policy or control you need, it should be designed to handle security practices that you already have.

The ability to adjust your cybersecurity practices will enable your company to be more efficient and competitive. Finding the right compliance technology for your unique landscape will ensure that your organization can focus on innovation and customer value.

Michelle Strickler
Michelle is a passionate advocate for a risk-based approach to IT compliance, as well as for an increased role of effective IT governance. Before joining Strike Graph, she coached companies, from startups to public enterprises, through their compliance initiatives. In a past life, she was an IT Auditor, but don't hold that against her.

Learn how you can leverage Strike Graph for your cybersecurity needs