Compliance as a Service

When my kids were small, there was this torturous jingle on Sesame Street that combined the letters of the English alphabet into a jumbled melody. If you parented little ones when I did, then you can sing along with Big Bird right now in your head: ‘ABC-DEF-GHI-JKL-MNO-PQR-STU-VWXYZ, I wish I knew exactly what I mean.’ Say what you will about that bad song, but Big Bird made a good point: The letters of the alphabet can only be understood with proper context.

Which brings me to the tangle of acronym-laden letters underlying modern cyber security compliance. Here is how Big Bird would sing a friendly jingle of their concatenation: ‘PCI-DSS-CSA-STA-RGD-PRH-IPA-AHI-TRU-STI-SO2-700-1MA-RSE-P2P-EPA-DSS-SOC-1SO-C2S-OC3, I wish I knew exactly what they mean.’ Maybe the good folks at ISACA should consider hiring a Big Bird impersonator to sing that song at their next security audit conference.

I had this crazy alphabet soup of security compliance in mind while chatting last week with the principals of Fairfax-based ControlCase. My good friend Norm Laudermilch recently joined the company as their COO, and I was keen to understand the team’s plans. After two enjoyable review sessions, I’m convinced that their compliance-as-a-service solution can help enterprise team deal with the complexities of modern frameworks. Here’s what I learned:

“Our compliance-as-a-service platform ingests relevant telemetry from the enterprise and then automates their security framework assessments,” explained Kishor Vaswani, CEO of ControlCase. “We provide managed services to our customers using technology tailored to collect the type of information available on premise or in the cloud, and to then support the growing challenge of audit, assessment, and regulatory review.”

The company principals have the right backgrounds for this type of work. Founded in 2004 by former EY consultants, ControlCase has grown to include several hundred experts supporting several hundred clients across the world. If you have any background in managing a consulting practice, then you know that this is not an insignificant achievement. ControlCase is a substantive player, and the addition of Laudermilch is quite a grab for them.

The ControlCase solution can be described in terms of five related components: (1) Compliance-as-a-service, (2) managed compliance services, (3) certifications, attestations, and assessments, (4) enterprise data security ratings, and (5) compliance scanning. Obviously, all these offerings are centered on their platform, which involves an appliance deployed with connectors to existing enterprise security systems such as the SIEM and vulnerability management tools.

“We turn your SIEM and VM tools into compliance engines,” Vaswani explained. “We do this by orchestrating the available information into an automated framework, and we integrate with workflow support by connecting with GRC platforms such as Archer.” I asked about supported frameworks, and that’s when I was treated to the alphabet soup of compliance mentioned above. ControlCase will have you covered, regardless of your required compliances.

I asked the team about cloud, and they went into considerable detail about their AWS integration. Apparently, they’ve managed to simplify cloud compliance for their AWS customers to click button processes in about 60-70% of the required work. The team explained that they are working now to build automation for several other cloud service platforms, and we all agreed that this is an important initiative.

The reality in our industry is that enterprise compliance concerns are growing, not shrinking, and this is neither welcome nor helpful. Once you establish strong compliance with a proper framework, then I believe this should be sufficient – just like having one home inspector check with a clipboard check your home; you do not need to hire ten inspectors with ten clipboards. But set aside the logical analogies: Compliance will grow and needs to be managed.

For this reason, the ControlCase appliance and associated set of managed and professional services look to be supremely useful for modern businesses. And I suggested to the ControlCase team that the green field of smaller and mid-sized companies – many of whom are seeing an exponential growth in their compliance obligations – will provide an excellent growth opportunity for their platform and services.

My advice would be to contact the fine ControlCase management team. Ask them to take you through their solution offerings, and if you have small children, then listen to the Big Bird song in advance of the discussion: It’ll remind you of the plethora of frameworks that need to be addressed. And as I always request, please make sure you share your learnings with the rest of us here.