Is a Vendor’s Promise to Deliver Compliance to your Organization in Weeks Plausible?
Guest author: Tom Cornelius, Senior Partner at ComplianceForge and SCF Founder
Published on 18th November 2022
When we first started the Secure Controls Framework (SCF) back in 2018, we had the ambitious goal to provide free cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of their size, industry or country of origin. We started off mapping to a few dozen different laws and regulatory frameworks, but fast forward to today, and that number has grown to over 100.
A lot has changed in our industry in the four years since we launched SCF, but one thing that hasn’t is our core mission to provide a powerful tool that helps to advance cybersecurity and privacy controls. With a small army of volunteer specialists working on an open-source platform, we know that delivering compliance cannot be achieved overnight.
That’s why it’s so jarring when we see a growing number of service providers making extraordinary promises to deliver compliance management solutions in weeks or even just a matter of days.
So, are these claims credible, and can providers really deliver reasonable compliance in a matter of weeks? The short answer is: no.
There is no silver bullet.
Everyone wants the silver bullet. Maybe it’s weight loss pills that promise that you’ll end up looking like a movie star without having to put the hard work in at the gym, or even a get-rich-quick scheme that promises untold millions with little or no risk.
It’s human nature to want to take a shortcut to your end goal. The problem is that if something sounds too good to be true, then the chances are that it inevitably is.
When it comes to compliance, there are no shortcuts, no silver bullets and no quick fixes. While achieving compliance in a short timeframe is theoretically possible, most organizations require a significant time period to implement complex and extensive changes. The exceptions to this rule are generally smaller organizations that are cloud-native with no legacy technology or a start-up environment that lacks existing processes and technologies.
When a vendor promises that it can deliver compliance in a short timeframe, it should be viewed at best as deceptive advertising or, at worst, as fraudulent business practices due to the vendor’s incompetence or apathy.
Neither option should fill you with confidence since compliance is a task that cannot be 100% outsourced. That means the vendor either doesn’t understand enough to realize what it’s promising is improbable, or it does not care and is willing to say anything to gain an increase in sales without considering the impact it has on its clients.
Compliance takes time
There’s no way around it; compliance takes time since a standard is a standard for a reason. That’s true of all organizations, but especially those who are looking at highly-complex issues like CMMC, PCI DSS, SOC, ISO 27001/2 and even GDPR.
In fact, if you look at any organization from a reasonable perspective, it’s clear that achieving compliance is something that’s going to take months, if not years, to achieve. Most successful compliance endeavors take a risk-based approach to prioritizing efforts that reduce risk and hopefully prevent reengineering compliance management solutions during the development journey.
Put simply, compliance doesn’t happen overnight. There’s an interconnected web of cybersecurity and data privacy requirements that modern businesses have to adhere to. This is further compounded as more and more aspects of our lives are digitized and automated.
Today’s landscape is overwhelmingly complex.
The makeup of modern organizations also adds an additional layer of complexity. With multiple sectors, processes, supply chains and systems to manage, mapping controls across all lines of business takes time – and that’s before you even consider additional aspects such as the sensitivity of your data, your level of inertia and how committed senior management is to the initiative.
A top-down approach
The process of compliance is complex and requires extensive planning and adequate time to execute the transformations needed within an organization. A top-down approach that holistically embeds compliance in every aspect of your operation is a big shift – one that will need to be planned and implemented strategically in order to succeed.
In my work at ComplianceForge and SCF, I tell people that we are “tool builders”. We make compliance management solutions that can enable organizations to move faster towards their end goals. However, I’m also quick to point out that no matter how sophisticated a tool may be, tools are no substitute for the legwork that ultimately needs to be done to make your organization compliant, and that’s before we talk about security.
At the end of the day, there are no shortcuts in compliance – so, ‘buyer beware’ when anyone tells you otherwise.
We’re offering our clients the tools they need to help move faster towards their end goals… but no matter how sophisticated they may be, these tools are no substitute for the legwork that ultimately needs to be done to make your organization compliant and secure.
To hear more from Tom Cornelius and his take on compliance management solutions, check out this episode of our Capability-Centric GRC & Cyber Security podcast. It features a wide-ranging discussion about the most significant cybersecurity and compliance issues we face today.
To speak to one of our cybersecurity and compliance experts, get in touch using the form at the bottom of the page.