Why Compliance Sucks: Part One
Updated: May 26
At ByteChek, our tagline is “make compliance suck less”. Now, before we get into why compliance sucks, I want to give you some background context on me.
I’ve been in the security game for 12+ years now. From information to cyber security, engineering, governance, risk, and compliance (GRC), audit, consulting, program management, public sector, and private sector.
You name it, I’ve almost done it. I LOVE compliance. A lot. Like more than most people. And while that makes me a bit weird since this deep love affair appears to be quite rare, it also makes me a premium, grade A expert in knowing compliance.
And with that knowledge, I can say that compliance does, in fact, suck.
I’ve not come across one place or person that didn’t groan a little bit when it comes to these conversations, and I get it. The subject matter is dry as a saltine cracker, mundane, and a time suck. But more than all of this, and what I want to dive into more for this part of the series, is that most people just see compliance as a checkbox exercise.
As we all know, there are certain things in life that are absolutely just checkbox exercises, such as eating vegetables, going to the doctor, and paying bills (gross), but they have to be done. Granted, I’ve yet to figure out a way to make the latter two more exciting, but at a minimum, there are definitely ways folks have moved beyond the checkbox with vegetables.
Whether that’s by trying a new variety until they find things they enjoy or experimenting with cooking techniques, they make it work. I understand that not everyone will find compliance exciting as I do, but I think that if we start by changing how we look at the process, it’s a step in the right direction.
One of the first things you can do to move beyond this is to understand or define why you or your company is looking at a compliance standard such as SOC 2. Is it for sales? Is it because someone is asking you about it? You have no idea?
All fair answers. However, I also challenge folks to look at it in two other ways: getting a pulse check to understand your security posture, and as a means to get more money or resources for your team or department.
If you’re an early startup or have been in the game for a few years, getting a glimpse into your security posture from an outside party can assist with seeing what gaps you might have and determine if and how you should address them.
This also supports the theory of compliance by design: by building your controls with compliance in mind, you’re taking steps in the right direction where it doesn’t become an afterthought or mad dash exercise to overhaul your entire environment to try and make things line up. And while compliance doesn’t always equal security, the two are very complementary to one another so you can also work to have them align to your business objectives and risk appetite.
If you know that a system or application has been in a rut for a while, bring it into scope for your audit. It’s not fun hearing your baby is ugly, but it could inform management that changes need to be made and resources may need to be reallocated to get things in a better operating state.
In short, use compliance to your advantage. Figure out your pain points and see if getting a SOC 2 report can help confirm those suspicions and take one step closer to making compliance work for you instead of sucking the life out of you.
Learn more about SOC 2