Post banner
Compliance 2 Min Read

Happy Compliance Audit Season!

While many organizations are wrapping up their cloud security compliance audits for the season, we know at Threat Stack that the work of ensuring controls and preparing evidence is never really over.

We work hard to help customers ensure compliance as they go, with deep views into running cloud systems, and make it easy to quickly access the data they need. Plus, with Threat Stack’s security services, we can apply cloud experts to meet advanced compliance requirements like 24/7 alert investigation and detailed analytics reports.

Streamlining audits

Continuous auditing is top-of-mind for many cloud users, especially in AWS. The latest example here is the launch of AWS Audit Manager during Steve Schmidt’s security keynote at AWS re:Invent 2020. We applaud the move and hope it raises overall awareness of the need to streamline cloud security audits in the cybersecurity industry.

There’s definite customer value in tying together state information from AWS Config, user activity from AWS CloudTrail, and describe API calls between AWS services — the core of the Audit Manager approach. However, we’d also say that potential compliance gaps remain when it comes to capturing activity on host operating systems, within containers, and between custom microservices. That’s where Threat Sack excels at picking up your end of the shared [compliance] responsibility model, whether that’s through our behavioral rules engine, ML-driven anomaly detection, human security expertise — or the combination of all three.

Compliance is the outcome of strong security

With customers in mind, we thought it would be good to share some of the compliance-related feedback we’ve received with a few of our favorite quotes:

We’re not a regulated company so we thought we had little need for audits and proving security assurances. We were wrong; I started seeing [competitors] miss their quarterlies because they couldn’t have a convincing conversation around the security of their software. Turns out, when you show your customers secure software, they’ll buy more of it.

This quotation is from a customer in the data management space. I like it because it also speaks to two concepts that another customer, Barak Engel, experienced CISO and Founder of EAmmune, discusses in his book Why CISOs Fail. Barak likes to think about security in terms of the business, specifically as removing sales barriers, increasing customer stickiness, and creating upsell opportunities. Which leads me to my favorite Barak quote:

Compliance should never, ever drive the security program. Instead, compliance should be a derivative of the security program. A side benefit. A happy happenstance. It’s really that simple.

And, lastly,  a quote from one of Threat Stack’s customers in the healthtech industry:

We reduced friction in our sales cycle by showing customers Threat Stack’s compliance rule sets and how the controls are mapped around different aspects of the compliance matrix. Ensuring this detailed coverage increased our efficiency and decreased the resources needed to complete the sales cycle.

Case in point! Don’t approach compliance as a check-the-box exercise. Better compliance is the outcome of strong security.

Continuous improvement 

We hope your 2020 audit season was quick and painless, and gave you some good feedback on your organization’s overall security posture. If this wasn’t your experience, consider reaching out to us at Threat Stack. We have years of expertise helping customers prepare for audits around HIPAA, PCI DSS, and SOC 2 Type 2 etc.

Alas! Compliance is never truly done, so see you next season!