SOC 2 Compliance: Q&A with Compliance and Security Expert David Carter
David Carter is Senior Manager of Cyber Risk Assurance at The Delta Dental Plans Association, 39 independent Delta Dental member companies that provide coverage to some 68 million people. David has more than 16 years’ experience in compliance and information security, making him a trusted expert. In an Everything Compliance interview, he shared some of the fruits of that experience with Trustero Vice President of Marketing and Business Development Kimberly Rose. This post presents some highlights from that conversation.
Among the key compliance stakeholders in an organization, is there a particular role best suited to be the lead evangelist, promoting and encouraging coordinated compliance efforts?
I generally think everyone has a role to play here. I think all of us who work in cyber management or cybersecurity management are essentially brand ambassadors for security and for our programs, and we should all be evangelizing and championing them. At the same time, I think some of the biggest impact can come from the peers of the CISO [chief information security officer], as well as their direct reports. The CISO’s [chief information security officer] boss is also a powerful evangelist.
What are some traditional compliance efforts that used to work but are becoming less effective?
This is a question that’s on my mind a lot. One of the things that I ran into when I was with the Big Four is that a lot of the processes are very manual, even today. Financial accounting and financial insurance have done a lot of automation, but cyber and security haven’t done so much.
I think it comes down to a couple of key factors. One is it is very difficult to standardize on the way things are done and the way tools interact with each other. Those interdependencies vary a lot from organization to organization. Another challenge is you need people that not only understand cybersecurity, but who also understand data. That’s what they need to know to run their [evidence] tests, get their assurances, and make sure things are working. How do you find somebody who’s a total expert at cybersecurity with deep expertise in data analysis and analytics? It’s a tall order to find that within a single individual.
So skilled people are hard to find, and business computing environments are getting more complex. What do we do about it?
I think there are two valid approaches to this. The first is the transference of risk. You take some things, and you outsource them to a vendor, and they are then on the hook to do those things. That’s one option. The second one really comes down to automation. We need to automate our decision-making, which is what testing is all about.
How can a smaller, growing business pursue compliance automation effectively?
When I was doing this seven, eight, nine years ago, there were virtually no options for smaller businesses. I’m happy to say that that’s no longer the case. There are quite a few out there now, and they’re getting better all the time, which is great to see. I would caution against looking for a silver bullet. There’s no “one size fits all.” Find the thing that you struggle with the most, then focus on finding a vendor that’s a good fit for that particular struggle.
For more expert advice and information from David on compliance and security, check out his complete Everything Compliance conversation with Kimberly. For guidance in choosing a technology partner, read the blog post, “SOC 2 Compliance: Three Ways Technology Can Help.” And to explore a compliance automation solution designed for emerging enterprises, learn more about Trustero Compliance as a Service.