Processes, Policies and Controls: What's the Difference?

HubSpot Video

Listen as Justin Beals, CEO and Co-Founder of Strike Graph, and Sam Oberholtzer, Director of Sales Engineering, discuss controls, policies, processes, why they're important, when you need them (and when you don't), and how they depend upon each other for compliance.

Please enjoy a transcription of the audio recording: 

Justin Beals (00:01):
Hi everybody. This is Justin Beals, the CEO and co-founder of Strike Graph, and we're really excited to host this video podcast opportunity. This is the first one of these that we're doing, and I'm just overjoyed to have Sam Oberholtzer from our team, compliance guru and audit extraordinaire  <laugh> to chat with a little bit. We hope to make this kind of a regular opportunity to discuss some of the issues that we're seeing in security, security compliance, and also technology and product and what people are building. Sam, thanks so much for joining me today.

Sam Oberholtzer (00:42):
Thanks for having me. And I'm really excited that we're going to have these little snippets. Especially as we start the new year, there's gonna be a lot more craziness starting, you know, as soon as busy season ends, there's a lot more, that's gonna come from that. So yeah, how have you been as we're kind of ramping up the year and you know, you're doing budgeting, we're planning out 2022?

Justin (01:09):
And it's audit season, right on top of all of it. Yeah. I don't know what it is about Q4, but everybody wants to get everything done all at the same kind of moment. My understanding of course, you know traditionally I played the role of Chief Technology Officer, so I was the consumer of the audit product. But that for auditors, this is a nightmare season, right? Like you've got everybody trying to get their audit accomplished on their commitment by the year end. And you're just trying to move everybody through. Is that correct?

Sam (01:40):
Absolutely. Just like your side or notoriously your side is stressed out about getting all their ducks in a row trying to figure out how they're going to complete the audit in timely manner, the auditors also have lots of projects going on. We have, or I keep saying we as if I'm still an auditor, but my ex auditor, I can definitely side with the audit firms. They not only have deadlines within their contracts for their companies, but they're also relying on all these companies to get everything in on time. So it's always kind of a trickle down effect for them.

Justin (02:22):
I always feel like in these super chaotic moments, having a clear head and a focus on what you're trying to do is really the only way to tackle the problem. And I think one of the things we wanted to talk to about today is how do I survive Q4 as an organization that needs to get audited and being very capable of making your auditor efficient too? I'm sure that your customer has some impact on your ability to get it done quickly. So, what's your advice for companies that are really trying to move through an audit quickly? It's a stressful time they're pressuring the auditor themselves. How do you keep common an audit on so to speak, Sam? 

Sam (03:11):
Yeah. You know, I think there's a couple of things - a couple of tasks or steps that companies, and especially our customers, those that might not have an audit quite yet, but just want to prep because they might be overwhelmed with year end with all of their business. I think we can break it down in a couple ways. I would recommend that if they are starting to prep for audit is to really think about the scope and what would that entail

1. Understand Your Audit Scope (services, data, and systems) 

And so to me, scope really would entail your services for your customers. What do you want in this report? What do you care about to actually start your foundation with the security aspect?

Justin (04:00):
So Sam, let me ask a question here because I mean, scope means a lot to a CTO and a product person. It's the greatest lever I have on actually getting something delivered on time. I think there's a perception, I certainly had the perception that scope was very fixed depending on the standard. Like SOC 2 required all of this, but I think what you're telling me and what I've certainly learned is that scope is very malleable depending on the organization. Right?

Sam (04:27):
Yes. And you know what, even before our customers or new startups start thinking about all the plethora of controls, I really want them to think in a smaller lens for now, because, or else they're gonna make themselves crazy. They're gonna start picking their financial systems, their education systems. So really from the audit side, we want to think about what systems are directly impacting your customer data?  Meaning if you're a SaaS company, let's think about your application. Let's think about your web-based application first and then the underlying infrastructure behind that. And then that's what we want to start with.

Justin (05:11):
Hmm... Yeah. It seems that the critical part of the data here in identifying scope is because of what's sensitive. That's what you're trying to secure. So the risk is with the data, understanding where that sensitive data lives is, how you can identify the things you need to secure. Right?

Sam (05:31):
Absolutely. And again, I do want everyone to know that we are talking about our foundational audits -- your SOC 2, maybe even our ISO, even though it's a little bit more of a stretch, definitely not Sarbanes Oxley 404 for public companies. Definitely. No, but that's why, I think if companies think about the scope, about what systems and what those systems hold, what type of data, then they should have a clear picture instead of picking everything at first. Let's start a little bit smaller thinking about the services and then the systems, and then the data.

Justin (06:13):
I have this phrase in my head, in the product world, we a lot of times talk about what's our minimum viable product. And I think about this as what's my minimum viable compliance for the trust I need to get? So let's say that I've done a good job, Sam, I'm working with a great team and we've got a good scope identified for what we need to secure and we've minimized it so that we can get through that first audit more easily. What's the next thing that I could focus on.

Sam (06:42):
Absolutely. And so you kind of brought it up, you kind of led me into that direction. It's your team. It's understanding who would be involved or at least let's figure out what categories would be involved because sometimes those categories are held by the same person, especially with the startups that we are seeing or helping with, whether helping them prepare or try to figure that direction.
So let's talk about what areas or foundation that we would talk about. Definitely IT. I know it's huge bucket, but we can even narrow that down more. If you have an application, we're definitely going to have your developers or maybe head of the department or lead. We want someone in infrastructure that's going to be helping gather. We want HR because they're the ones typically going to be handling onboarding and termination processes. They're going to be handling policies and that kind of paperwork. And then lastly, this can be like a give or take, but Legal. A lot of the times the legal people might handle your vendor management vetting. So whoever that might be, that's also very important to the success of your foundation of your report. 

2. Understand Your Team and Create a Culture of Security

Justin (08:09): 
I can see how powerful this. In the past, there's been a joke that the person that's in charge of compliance was the person that wasn't in the office that day when it got tasked out. So, whoever's kind of owning it, winds up in this really horrible situation where they're kind of keeping in their head, the list of controls that need to be operated or evidence. And they literally have to go hunt down a person and say like, can you give me that off-boarding process document? Where in actuality, if I just said, "hey, you are responsible for HR. Here are the things that you contribute to compliance", and was able to centralize that communication. I can see how that would make you a lot more efficient in getting all the data collected that you need to end over to the auditor.

Sam (08:54):
Absolutely. And I think it makes the people that are actually accountable and that actually own the process or own a certain area, it makes them more aware of what to expect and predict of what the audit's going to be looking like. So I think it might makes the process more efficient.

Justin (09:14):
Yeah. You know, one of the things you're hoping to do is create a culture of security. I've had a lot of conversations lately where I was like, it's not just about technology security. It's about the rest of the security practices that you need to do. And certainly the standards make you cover those areas. And if you can share the ownership of the whole practice and you kind of bring that culture in, into the operations.

Sam (09:41):
Yeah. I 100% agree with that point. Currently I have one of our customers that are pretty much starting from scratch, meaning like, not even, not even a little bit of their processes, even a place. What I'm finding is that you can tell someone how to build the governance, but then trying to make the people follow is the hardest obstacle. So if you're starting to build that accountability, baking out the importance of security as you're building roles, then you can stop or minimize that risk. The risk of, I guess, people almost, not even not following, but the risk of being part of those organizations that have to play catch up. Yeah. Have to play catch up to the compliance when compliance can naturally fall after.

Justin (10:40):
I didn't remember that I needed this control or I didn't collect the evidence. Yeah. Now we're rambling to try and pull it all together. Yeah.

Sam (10:48):
Okay. Instead of letting it happen naturally. Yeah. Like just kind of doing the control, like it it's part of your everyday job instead of just trying to prove it when the audit is there.

Justin (10:57):
Absolutely. Well, which leads us to, uh, you know, the auditor themselves. So, what's our next piece of advice for maintaining some sanity through this process?

Sam (11:11):
Yeah, absolutely. I think it's jotting down in their minds their deadlines -- internal timelines and not only communicating that with the team, but then also understanding what their stakeholders requirements are. Because again, this will help break out tasks, but then also understand what they need to do to be successful. Instead of again, being stressed out and trying to not only create, implement, and then gather as they're almost hitting their deadline. 

3. Set Milestones and Deadlines

Justin (11:49):
There are a lot of milestones that we know of and I think getting at list milestones down and backing out from the audit date that you're working against will let you measure how far away you are from the audit date and maintain that sanity. Some of those milestones are the initial scoping (what are my controls?) That probably leads to scoping of the evidence. I always think one thing that gets left behind her is like a last minute is like the system description. Like if you can get ahead of writing the system description. And one thing you've told me about is any of the annual practices that are checked in, what, what are some of those? Yeah.

  • Initial Scoping of Controls
  • Scoping of Evidence
  • System Description
  • Annual Practices

Sam (12:33):
Some of the annual controls that a lot of people might not think about are the ones that might indirectly impact the systems or the data. Okay. So some of the annual controls that our customers, or even people are thinking about going to audit, can start practicing and put in practice now is an annual security training or privacy training or both. Let's make our employees go through that. You can create a PowerPoint that shows them some of these practices. Let's think about how we want to even evaluate the performance of our employees. What kind of standard are we holding them at? It does not have to relate to compensation, even though that's naturally what it is, but it's at least helping them reach their career goals, their pathway, et cetera. And this doesn't even have to be a certain standard. We just wanna make sure that they're have conversations with their employees so that they, so that they don't have to lead into sanctions.

Justin (13:39):
It's how you want to design it. Right. Like, absolutely. It's just that the auditor wants to see that you're, you have some focus in the area and you created some security habit around it. 

Sam (13:52):
Absolutely. And that it's actually being performed for every employee. Yeah. Um, you know, executive management starts getting a little, like a little gray area, but oh, that's exactly

Justin (14:04):
Good. Yeah. <laugh>

Sam(14:07):
You know, that puts me at another thing, the org chart. Actually creating one and starting to start drafting up, reporting lines, doing accountability. Of course, this might be a little different for that one person's startup. You're building the blueprint for the processes.

And then one thing that you're gonna love is the risk assessment start thinking about how your risk of your business start thinking about your threats and vulnerabilities, and let's start putting numbers to it. Yes, yet's start rating your business risk. And so I, even if I know that seems a little bit overwhelming as self, but it doesn't have to be robust. It could be something that could be worked on ongoing a little bit as you think about it.

Justin (14:56):
Yeah. Certainly at strike graph, you know, it's fundamental for us in our customer engagements to use risk as a scoping mechanism to get that minimum viable compliance put together. Not a checklist of things that didn't necessarily matter to me, but the types of security habits or controls that mitigated a risk that I see for my business.

Well, Sam, I'm sure you're super happy to be on this side of the audit business a little bit and not crunching this to you for this time around.

Sam (15:30):
Oh my, I am not just excited about it. I'm excited that I get to expand my career, not just with audit and compliance, but I'm actually thinking about security and the importance of that. Just having the mindset of being more helpful, I guess, helping organizations before they get to audit and really starting to create those honestly best practices, a set of that checklist that like you said, because audit is like a checklist and, you know, depending on what it is, but we're trying here to create an environment where you're minimizing that risk and not just creating a checklist. Absolutely. So, yeah, I just, and I love it. I'm like I'm ecstatic.

Justin (16:18):
Well, I hope you enjoy your holidays and I can't wait to do another one of these segments with you. Thanks again, Sam for joining me. Thanks for anyone that gets an opportunity to listen. Please feel free to let us know at Strike Graph if we can be some help on your compliance journey. Have a great holidays, everyone.

Sam (16:37):
Thank you