50 Tech Professionals Reveal: The Top 3 Time-Wasters and Productivity Boosters in Compliance Management

23.01.2023

One of the most important things for me as a CEO is to get a full understanding of our clients’ business challenges around data and compliance.

A big part of my job in leading Vendict is to listen carefully to the customers, understand their problems, and act on their feedback..

A few months ago, the Vendict team decided to pose some questions to tech and compliance professionals to get their take on how compliance affects their jobs.

Well, the results are in. And I’ve got to say, they’re pretty revealing.

During the survey, we interviewed over 50 individuals, including account managers, sales professionals, and SDRs working in the SaaS, PaaS, IoT, and other tech areas. Each of them has years of experience dealing with security compliance in a business context. We asked each of them three questions:

1. What would you say is the biggest time-waster in your job?

I knew from the start that it was a risk to ask such a general question.. 

We didn’t offer multiple-choice answers. We just asked participants to write freely. The answers could have been very different, and it wouldn’t have been possible to pinpoint the problems I want to solve as a compliance expert..

But in the end, it was worth asking the questions.

Of the non-administrative challenges that respondents listed, the top three time-wasters they described were:

a) Lack of technology to hasten various tasks

b) Technical data not organized or readily available

c) Compliance documentation

TOP FIVE ANSWERS:

This speaks volumes about the challenges companies are facing. It also demonstrates how simple technological tool integrations can make a significant difference in a team’s efficiency and overall productivity..  The third response on the list (compliance documentation) is essentially a combination of the first two problems—menial task overload and lack of data organization.

Lesson learned:

Adopting technological platforms that can automate menial tasks and help organize critical information are the investments with the biggest ROI.

2. What routine or process has been implemented in your workplace that has made the biggest difference in your productivity?

We’re all about efficiency at Vendict.

So naturally, I wanted to know what my target audience is up to when it comes to increasing efficiency in the workplace.

By far, the most common response to this question involved integrating technology to better manage information and databases (post-sales call meetings being the distant second).

TOP FIVE ANSWERS:

Getting all these similar answers from such a wide array of participants lends a lot of support to the lessons drawn from the first survey question, namely that keeping information organized is a huge driver of company performance. Remarkably, many participants (without us asking, of course) described in more detail why these integrations made their lives easier. The common thread came down to this: They had all this information just sitting there, in their own network, with no way of accessing it—until they brought on the appropriate platform.

3. Do you feel that customers’ security and compliance requirements are making your job more difficult? If so, in what ways?

Understanding the relationship between compliance and business is at the core of my company.

I’ve spent countless hours discussing this topic with clients. But I wanted to hear from a broader set of people in the field..

Now to be 100% honest, to my surprise, I’ve received a few sporadic “no” responses to this question. All I can say to that fortunate handful is: “Heaven has clearly smiled upon you.”

But the rest of the participants, as I’d anticipated, had a different story to tell.

The most common descriptions of how compliance made the job harder were:

a) numerous security inquiries that essentially all contained the same question.
b) time spent filling out security questionnaires, which delays sales cycles..
c) back-and-forth communication between the vendor and buyer holding up the deal from closing.

TOP FIVE ANSWERS:

I think the most important thing to take away from the responses to this last question is how disruptive compliance can be for an enterprise.

It becomes a task with such high resource demands that it can hurt the company’s profitability and put a real dent in its ability to function.

What these responses, and indeed the whole survey, reaffirmed to me was that making compliance easier and more efficient for enterprises is not just a compliance issue—it’s also a business efficacy issue.

Unless an enterprise is able to achieve compliance in a smooth and simplified manner, it is essentially handicapped as a business..

That’s why empowering companies with compliance technology transforms compliance from a liability into one of their biggest assets.

Special thanks to the amazing participants who helped make this expert survey a reality:

A Beginner’s Guide to Cybersecurity Compliance

09.01.2023

When thinking about cybersecurity compliance, many organizations think about a challenging, complex, and overwhelming process that they have to go through.

While complying with all the cybersecurity regulations and standards could become a major challenge, it is essential for the organization’s success and growth, while aligning with globally accepted best practices and earning much desired formal certification and compliance which illustrate organizational maturity.

Cybercrime has been on the rise during the past few years, and it has become one of the most significant dangers organizations have to face nowadays. In fact, statistics show that there’s been a 300% rise in cybercrime since the beginning of the pandemic.

So, without further ado, let’s dive into the most important aspects of compliance and data security.

What Is Cybersecurity Compliance?


Photo source: Unsplash


Cybersecurity compliance is a set of regulations and standards (“formal frameworks”) that organizations are required to adhere to. These are all translated into internal organizational controls that produce the compliance landscape on which the organization shall base its own compliance scheme.

These “formal frameworks” are usually set by a regulatory authority or standardization bodies, and their purpose is to ensure that organizations have a risk management strategy, which advances to illustrate practical guidelines, that help them verify the confidentiality, integrity, and availability of their data, as it pertains to business oriented information and customer data (PII, PHI).

The regulations that organizations need to comply with depend on several aspects, such as industry orientation and local legislation. Furthermore, as the field of cybersecurity evolves, along with the risks and correlating mitigation, the standards and regulations are also changing, so organizations need to keep up with the latest adjustments.

This is often perceived as a challenge, as compliance requirements can often generate confusion. However, what companies need to keep in mind is that no organization is immune to cyberattacks. Up to 2008, when privacy laws changed the game, compliance was mostly a voluntary route for organizations. However, with the evolving cyber risks and tremendously increasing appetite of cyber criminals for data, compliance is no longer a “nice to have” check box on the management’s table, but rather a new perception of business sustainability.

Why Is Cybersecurity Compliance so Important?

Photo source: Pexels


Now that we’ve established what cybersecurity compliance is, let’s find out why being compliant is paramount for organizations of all sizes. Here’s what you need to know:

    • It is required by law: Like it or not, regulatory compliance is not optional. Companies that do not respect cybersecurity regulations risk huge regulatory fines. Some examples of the most notorious breaches are Didi Global, a Chinese ride-hailing firm that was fined $1.19 billion, Amazon with $877 million, and T-Mobile with $350 million. However, we should not be blindsided by these enterprises. Hundreds of unknown and much smaller businesses are facing regulatory slaps on their hands each month. No business is untouched by regulators and none is immune from risks. Therefore, cybersecurity industry standards and regulations are no joke, and implementing a compliance program should be treated as a priority.

    • It improves the posture demonstrated in business deals and acquisitions: Organizations that seek international business opportunities need to align with leading cybersecurity compliance and certifications. This has commonly become an inseparable part of RFIs / RFPs, prerequisites for entering as vendors/suppliers in new or refreshed engagements, and Due Dillenges toward Mergers & Acquisitions. We need to acknowledge that cybersecurity compliance is setting a mandatory reference baseline in the business world. It is now another parameter that sets the tone and pace of businesses in the global market.

    • It helps you avoid data breaches: Considering that the number of cyberattacks increased by 28% in the third quarter of 2022 compared to the same period in 2021, businesses should take all the necessary measures to avoid a data breach.

    • It helps you protect your company’s reputation: Companies are responsible for their clients’ and employees’ data, together with business-oriented information, so adhering to cybersecurity regulations can help businesses protect their brand reputation and gain trust and credibility in their community.

    • It helps you manage your cybersecurity landscape and infrastructure: To comply with all cybersecurity regulations, you need to efficiently process, store, handle, share, track, delete or retain data, while operating hundreds of processes that involve sensitive information. Compliance will provide guidelines and globally accepted “rulers” which will highly assist in effectively constructing a cybersecurity scheme.

Security compliance brings many advantages for organizations, and the sooner you implement a cybersecurity compliance program, the better.

Protecting your business against a potential breach should be one of your top priorities and it is essential for your long-term success.

The Most Common Compliance Regulations and Standards

Photo source: Unsplash


As previously mentioned, there are numerous compliance regulations and standards, and they vary depending on the industry, location, and the type of data you store.

Below, you will find some of the most common regulations and standards that might apply to your company.

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act, and it is a federal law that ensures the protection of patient health information.

HIPAA compliance applies to organizations from the healthcare industry, such as healthcare providers, health plans, healthcare clearinghouses, and businesses that handle sensitive patient data.

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that are meant to enhance the security of credit card information.

All companies that process or store cardholder data or other credit card information need to comply with this framework. PCI DSS is managed by the major credit card providers, and businesses that fail to comply with these standards can lose their merchant licenses.

GDPR

One of the most popular data protection laws is GDPR, or General Data Protection Regulation, which is also the toughest privacy and security law in the world. It was introduced by the European Union in 2018. GDPR applies to all companies that collect data or target people in the EU, regardless of the organization’s location.

The law was introduced to offer individuals more control over their personal data, and companies that violate these standards risk enormous fines.

CCPA

CCPA stands for The California Consumer Privacy Act, and it was introduced to enhance the data privacy of California residents.

This law is similar to GDPR, and all organizations that handle personal data from Californian users. CCPA gives users the right to find out what data companies have gathered about them, delete this data, and protect their personal information.

NYDFS Cybersecurity Regulation

NYDFS Cybersecurity Regulation ensures that companies implement an efficient cybersecurity program that protects them against potential breaches. This means that companies need to be capable of identifying potential breaches, developing a defence infrastructure that protects them against cyberattacks, and can efficiently respond and recover in case of a breach.

This regulation applies to a wide range of businesses that operate in New York, including service providers, insurance companies, private banks, and many others.

NIST

The National Institute of Standards and Technology (also known as NIST) is an agency based in the United States that has developed a compliance framework that helps organizations mitigate cybersecurity risks. This framework’s adoption has not been limited to the United States, as it has been implemented by companies worldwide.

It consists of a set of guidelines that help organizations improve their cybersecurity. This framework is very important and useful because compliance with these standards will help your company become compliant with other regulations as well.

SOC2

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.

ISO/IEC 27001

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.

What Cybersecurity Standards and Regulations Apply to You?

The standards and regulations listed above are only some of the leading industry standards and regulations which you need or can adhere to.

To make sure that you are safe and compliant, create a checklist with all regulations your organization needs to meet. Also, make sure you keep up with the latest changes in regulatory requirements.

Don’t hesitate to seek expert advice if you are not sure which ones apply to your business or if you need help with meeting all the regulations and standards. Make implementing a compliance program a priority in your organization and avoid exposing your business or your customers to risk.

How Vendict Can Help

Photo source: Pexels


At Vendict, we know cybersecurity compliance can be challenging, so we’re here to make things easier for you. We used Natural Language Processing (NLP) to create a solution that helps you save time by automating security questionnaire responses.

We are helping companies of all sizes to achieve compliance and cut out manual and repetitive work. Our solution is dedicated to cybersecurity professionals and teams, sales teams, and proposal managers.

By using our solution, you can:

    • Automatically fill out cybersecurity questionnaires in a matter of minutes;

    • Reduce menial work and focus on truly important tasks;

    • Save a lot of time and resources.

Interested to find out more? Book a meeting with one of our experts and discover how to respond to security questionnaires in minutes.

Company Culture and the Power of the CISO

05.12.2022

When the news of former Uber CISO Joe Sullivan’s conviction broke out, it set off a flurry of alarmist commentary on the future of InfoSec.

This was the first time a top executive had been criminally convicted in connection with a data breach. Many viewed the case as ushering in the new norm of jail sentences for security executives. 

Headlines like “Sullivan Conviction Sends Chilling Message to CISOs” were common.

But after a few weeks of sober reflection, it became increasingly clear that the Uber hack and the CISO’s behavior in this case were far from typical. 

Sullivan knowingly hid a major cyber incident for an entire year. Since the company was already under investigation by the FTC in relation to an earlier breach, failing to disclose the hack to federal regulators constituted a felony. 

In short, Sullivan was not convicted of a cyber incident, but of knowingly obstructing justice. 

While this scenario is not relevant to most cybersecurity professionals, I still think there are some very important lessons to be drawn from the Sullivan case.

Pressures of the Job

Being in the corporate data space for a long time, and having dealt with not a few cybersecurity leaders myself, I can tell you: Being a CISO is a tough job.

As the person in charge of protecting the network who is also a C-level company executive, a CISO experiences competing forces that create perpetual pressure. On the one hand, he must be fast and drive innovation; on the other, he must minimize risk and ensure compliance.

If those interests weren’t already difficult to balance, CISOs face a more challenging threat and regulatory environment than they did six years ago when Sullivan’s offense took place, including a spike in ransomware attacks of the very type Sullivan covered up. According to the latest numbers, approximately 82% of large companies were targeted with ransomware last year, compared to only 52% the year before. 

Besides the increase in real-world threats, there is also an increase in demand for IT regulation.  The last several years have seen large-scale regulation with the likes of GDPR, CCPA, and more recently, the tightening of New York’s DFS rules for cyber security. All of this has made the CISO’s job more complex than anyone could have imagined just a few years ago. Of course, these demands will only continue to grow. In response to emerging threats and new technologies, policymakers are hard at work crafting more laws to regulate data privacy—the American Data Privacy Protection Act (ADPPA) and the EU’s AI Act are two notable examples.  

With all of the competing responsibilities, the question becomes, “How do these heavy responsibilities affect the way people in charge make decisions and communicate with managers?”

Between a Rock and a Hard Place

As head of Vendict, I’ve had the opportunity to talk with CISOs across many industries.

They tell me about their security challenges, the tools they need to address them, and the difficulties they have communicating with their fellow executives. 

What I find most intriguing (and alarming) is that basically all CISOs, at the end of the day, are facing the same intractable problem: the demands of security and compliance are often incompatible with expectations from their CEOs and boards. 

The sheer volume and complexity of the work they need to get through in order to meet respectable security standards and maintain compliance are so vast that it ends up impeding the operations of the business.

In one talk with a client in the medical AI field, their sales lead told us that before adopting our solution, compliance requirements would routinely hold up a deal closing for three months. Three months! The amount of pressure the security teams were under to streamline the compliance process was immense. 

Even when a CISO does manage to speed things up, it almost always comes at a cost.

In one conversation I had with a CISO—whose company eventually became a client—he related how, at the time, he was using a competitor of ours to automate security questionnaires. The problem was that, while this platform was handling a lot of the menial work of the questionnaire, the majority of the answers being generated were incomplete or just plain wrong. They simply did not have the time or resources to verify all of the details. So whatever the program spit out, that’s what they went with. 

It All Comes Down to Culture

Faced with this conundrum, how are CISOs expected to react?

All the incentives are aligned against them. “Get the security side done quickly so we can continue making money.” From the board’s perspective, that’s a totally legitimate demand. If the CISO raises too many concerns about the cyber risks involved, he’s shut down—or, even worse, shown the door. From there, it’s a short descent into security leads who cut corners and even lie to their bosses and stakeholders. 

True, Sullivan’s story is extreme. But it is reflective of a bigger problem in the world of corporate infosec. 

From where I stand, the solution to this problem is only going to be solved by a change in perspective on how a CISO contributes to company value. In many ways, this shift is already taking place. As many CISOs have noted, more awareness of security threats and the increased reliance on information technology in the wake of the COVID-19 pandemic have made companies recognize the value of the CISO and the role they play in enterprise success. 

But what is really needed is to equip CISOs with the solutions and platforms they need to address today’s compliance challenges in a way that truly aligns with business needs. Not only to limit the cost of compliance but also to make compliance a value-add. 

Armed with these tools, CISOs will be able to wield maximum influence in the firms they serve. They will not only prevent the next hack but also ensure their organizations thrive.

The Transparency Cure Modern Tech So Desperately Needs

CISO

On 14 November the mighty tech giant Google agreed to pay $372 million in a lawsuit brought by a coalition of state prosecutors.

The legal action, submitted by 40 state attorney generals, alleged that Google knowingly misled users about location tracking on their Google accounts. According to the plaintiffs, thousands of Google customers were fooled by ambiguous language and other techniques into believing location tracking was turned off, when in fact it was running in the background of their devices.

The massive monetary settlement is, reportedly, the biggest data privacy settlement in US history.

Google of course tried to play down the issue, stating via a spokesman that the issues identified by prosecutors were “outdated product policies that [were] changed years ago.”

But the problem goes way beyond the issue of whether or not Google knows where you spent Thanksgiving this year. 

This case is just the latest issue underscoring the very real issue of transparency in the world of information technology.

The Extent of the Problem

There’s an old saying in the TV industry, a saying recently popularized by the hit documentary The Social Dilemma: “If you’re not buying the product, you are the product.”

The recent court case involving Google is an excellent reminder of this fact. 

In addition to the massive fine they agreed to pay, the settlement included another important clause Google must now abide by: The company will be forced to make serious changes to its location tracking disclosures starting in 2023–making it clearer and easier to identify when the tracking function is enabled. 

This is, at the end of the day, the heart of the issue for which Google was sued in the first place. It’s not that they tracked people’s whereabouts. It’s that they didn’t tell users they were doing it. 

Google and every other major platform in media and IT make their money off of data–data on you and me. Business models like Google’s rely on information collection in order to sell highly efficient targeted ads. Thus, there is a massive incentive to collect as much of that data as possible and not tell users it’s being collected, lest they stop giving it. 

To some this up: Transparency is contrary to the business interests of our biggest tech and media models.

From Concealment to Manipulation

Unfortunately, the transparency problem does not end with unwanted tracking or data disclosure.

From what I’ve seen after decades of being in corporate tech, I can tell you that the biggest problems go much further, and are only starting to come into public awareness.

Companies that deploy tech are not just failing to disclose important information to users. They are deploying technology that is outright manipulating.

Luckily, in the past couple of years, there’s been a lot more awareness on this issue, especially when it comes to online social platforms. The powerful influence these tools have on their users to the point of bringing about clinical addiction, is now well known.   

But I do think this very precarious situation and the steps necessary to solve it, are still not widely understood.

The popular conception of the so-called “Big Tech” problem, namely that tech companies are designing their products with the explicit intention of manipulating their customers. 

To be fair, there’s quite a bit of evidence to support this view. 

For over twenty years, tech executives have been going on record expressing regret for helping produce manipulative platforms. One of the big milestone revelations took place in a 2017 speech at Stanford by Facebook’s former vice president for user growth Chamath Palihapitiya. During the address, Palihapitiya told the audience he feels “tremendous guilt” for creating “tools that are ripping apart the social fabric of how society works.” 

The knee-jerk response to this has been advocacy for more laws controlling what these technological tools are and aren’t allowed to do. Indeed, the motivation to reign in on tech has been one of the central drivers for the sweeping data regulation we’ve all witnessed in the recent period, from GDPR, to California’s CCPA, to the more recent additions to New York’s DFS cybersecurity rules.    

Now, while it is true that big-tech will often create algorithms with manipulation in mind, and yes, regulation does have a role in curbing that, I think there’s something a bit off about the picture.

Well Meaning and Dangerous

The truth is, most tech creators do not go about their work with evil intentions in mind.

Quite the contrary. 

In my experience, most developers actually want to create something that will have a positive impact on people’s lives.

The problem–at least most of the time–doesn’t come from some wicked plan on the part of creators. It comes from unintended consequences.

Essentially all the major tech platforms that have become so ubiquitous in our modern world, today run on smart algorithms, programs that use artificial intelligence to learn about their environment and alter their own behavior. These programs are created in order to optimize products, enhance user experience, and improve the overall service being provided.

What we are discovering more and more, however, is that by instructing an AI engine to achieve a certain goal, we are unleashing a range of consequences we could not have anticipated. AI algorithms designed to increase productivity for example have been shown to produce deteriorating working conditions for employees as the expectations of the AI do not comport with how actual humans operate. Similarly, AI models used to determine the best candidates for certain job roles have produced huge biases in hiring practices within the companies that use them. 

Similar, and in my opinion much worse, effects have taken shape when AI is used in personalized user platforms. What the creator intended was to give the user a more attractive product. But what it ends up doing is using manipulation to get the user hooked. This manipulation can take many forms, including personalized addictive strategies for consumption of digital goods, or taking advantage of the emotionally vulnerable state of individuals to  promote products and services. This manipulation can become powerful enough to inflict immense psychological harm on users, especially young people

The important point to highlight here is that this was not an outcome that anyone planned. No nefarious cabal of tech creators sat around one day thinking up ways to emotionally torture millions of teenagers. 

It was the effect of instructing a powerful technology to achieve certain outcomes–outcomes you could argue desirable in and of themselves–but without knowing the consequences it would produce along the way.

The Transparency Cure

I’m a firm believer in the power of creativity to take on our most pressing challenges.

It was on the basis of this belief that I co-founded my company and it’s what today allows me to support my clients and help make their enterprises thrive.  

I don’t want to see a world where we are afraid of innovation and technological advance. And while regulations and rules have their place, they cannot be the end-all solution. Too many laws governing tech can impede growth and reinforce an attitude of skepticism toward technology. 

What I believe is the cure to our data technology conundrum can be summed up in one word: transparency.

By bringing back the value of transparency into tech creation, we can revive a sense of trust between consumers and creators. We all understand companies deploy platforms so they can profit off of their use. But disclosing how those platforms are used (and how they are often using us) is essential if we are going to continue on this amazing growth trajectory we’re currently riding.

Some doubt the viability of integrating transparency into the datasphere since the cost and resources of restructuring our current way of doing things is too high, and no one will want to undertake the challenge.  

This is why we need to start deploying solutions that can help us carve a path forward.

In my experience, when people learn of the damaging effects lack of transparency causes, they become genuinely concerned. When they realize how transparency and trust can add to their value as an enterprise, they become excited. The minute they learn about the smart platforms that can make transparency a reality for them, they feel empowered. 

Spreading this empowerment is Vendict’s mission.