111. Modernising compliance with Paul Wenham
Paul Wenham joined Claire to talk about the what, how, and why he started Assurance Lab. They also cover the value of auditing, how compliance can be the foundation stone for startups and his new book, which he is making open source for others to contribute to; and talked about the fact that Assurance Lab is a B Corp, and why that is so important to Paul and his team.
Paul has worked in cybersecurity audits and compliance for over 11 years. His past roles have spanned professional services at PwC, leading the cybersecurity and compliance program for a global software company Qstream, and governance over third-party cyber standards at Westpac and Mercer.
Paul founded Assurance Lab in 2018, a Regtech software and audit services firm now working with over 150 cloud software companies across 12 countries. AssuranceLab supports their security and compliance programs to meet global standards (SOC 1, SOC 2, ISO 27001, HIPAA, Consumer Data Right, CSA STAR, GDPR, CCPA, and ESG reporting). Assurance Lab has a broad network of partners in the cybersecurity industry, leveraging the natural synergies of AssuranceLab's independence as an audit firm.
Links:
Website
Assurance Lab Linkedin
Paul LinkedIn
Episode 102. Cyber in Local Government with Paul Barrett
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
Hello, I'm Claire Pales and welcome to The Security Collective podcast. Today's guest is Paul Wenham. Paul has worked in cybersecurity audits and compliance for over 11 years, he co-founded Assurance Lab in 2018, a reg tech software and audit services firm now working with over 150 cloud software companies across 12 countries. Assurance Lab deals with global standards including SOC1, SOC2, ISO 27,001, HIPAA, Consumer Data Rights, CSA Star, GDPR, CCPA, and ESG reporting. Paul joined me to talk about the what, how, and why he started Assurance Lab, we cover the value of auditing, how compliance can be the foundation stone for startups and his new book, which he is making open source for others to contribute to. We also covered the fact that Assurance Lab is a B Corp, and why was that so important to Paul and his team. I'm sure this won't be the last time we talk to Paul as the regulatory landscape shifts globally. Please enjoy the insights from Paul Wenham.
CP: So Paul, it is great to have you join me on The Security Collective podcast today.
PW: Thanks for having me.
CP: We've heard a bit about you. In your bio, you are the co-CEO and founder of Assurance Lab. What is the barbecue test for Assurance Lab? What do you say to people who ask you what do you do for a living and why?
PW: We certify companies to say that they're secure, they're reliable, they're using people's data appropriately, even looking at environmental and social factors. So we do that for tech companies to help them build trust and grow their company. Of course, if the barbecue was hosted by The Security Collective, I'd probably just say that we do audits and certifications for global security standards.
CP: And why is it that you've taken on this task, what made you want to run this?
PW: I sort of fell into it. I started in the big 4 auditing, and really just saw the market problem as compliance becomes a necessary activity for all businesses. There's so many software companies out there, particularly start-up companies that are really struggling with that problem. They don't have compliance experts, they don't even have a security team in some cases. And they can fall behind in their growth until they're able to achieve compliance with these standards. And so we just saw that there had to be a better way to make this accessible to companies of all sizes. And that's really what I've set out to do for the last five years, to solve that trust problem so that companies can have the opportunity to succeed by meeting their compliance requirements of their customers and other stakeholders.
CP: It's interesting when we talk about audits, because a lot of people feel that audits are a nightmare, or are just going to generate more and more work for people, particularly security teams. And we had a guest on last season, Paul Barrett who spoke about his kind of quote was that audits are a gift and back in episode 102, if people want to go back and listen. But I'd love to hear your thoughts on audits being a gift, how do you see organisations better leveraging audits and using the findings to support their security programmes?
PW: Yeah, I really liked that way of putting it. I might have to meet Paul Barrett at some point. But yeah, look, I agree. There's a lot of value in audits. And I think sometimes people lose sight of that, because of the high cost, the effort, the disruption that they can cause to the teams. And people tend to shy away from it accordingly, and then not get all the benefits out of it, because they might say there's more of a box ticking exercise. But when it's done well, people can actually enjoy audits, we do have clients that say they enjoy compliance and audits. It's really challenging how things are done in a company that finds ways to improve things, it helps them operate in a more effective way. And when the audits are done for compliance standards like we do as a company, it's achieving something valuable as the team that helps their company grow, as I mentioned before. And so I think security teams that we work with can really embrace audits and compliance to their advantage. They can use it as a crutch to get better outcomes for security. I mean, you've probably heard it on all your past podcasts, it's really hard for security teams to get buy in from the broader company, get the budget that they need, get the stick that they need to really get security prioritised across the company. Audits and compliance as we do, really helps in that regard.
CP: And I know, you know, Assurance Lab is obviously a relatively new company, and you're betting down processes and you've committed to writing a book about it, which is exciting. And I want to say congratulations to committing to writing a book. It's a massive undertaking, it is definitely not an easy thing to do. And I think it's going to be about your experience with SOC2 and some insights around that. Is this going to be a how to book? Is it going to be a whodunit book? What questions can readers expect for you to answer in this book that you're authoring at the moment?
PW: Again I sort of fell into it because I started talking about our experience of going through SOC2, and the response that I got on social media was just beyond anything I've experienced before. And that's when I realised that there is a problem here that the people need this information, everyone is falling into audits and compliance as a critical business activity. A lot of companies, as I mentioned, don't have those compliance experts, security teams, it's just so daunting and complex for them. And so yeah, really just committed to writing the book. I've got a couple of collaborators now, which should help, two other experts over in the US market. We're also going to open source the book and leverage the broader community. It's been amazing to see how many people actually want to get involved in it, I guess, also recognising the need, but also feeling that they've got valuable insights that they can share with others. And it's really just about that one problem that audits and compliance is such a daunting, complex topic. And so we're really going to take a practical look at that, how we actually achieve that as our company? What were the ways that we looked at certain things? How did we navigate some of the pain points? What are the real areas that you need to focus on to get right? And what are the other areas? These are probably my personal favourite, what are the areas that you should really back yourself and speak up to your auditor? We hear time and time again that, you know, particularly traditional audit firms, or really any auditors tell people what they should be doing, and it doesn't necessarily fit their business. And so I think it's really important for every company to have the confidence and speak up and say, well, actually, no, this is what makes sense for our business. This is why we've done it this way. And this is why we believe it covers the risks and the compliance requirements. That's where you get the best dialogue between compliance subjects and their auditors, and really better outcomes for everyone involved.
CP: So do you have a published date for the book, are you aiming for a particular date and working back from there?
PW: No, it's been on my to do list honestly, for the last sort of five or six weeks. We've got really side-tracked with a lot of things going on in the business. I am hoping to get it launched in terms of open sourcing the book on GitHub this month, if not this month, definitely next month. That way people can start collaborating and contributing to it. And then in terms of finalising the book, you know, I would say earmarking early next year. But I think probably the point is not necessarily having it finalised but more having it as a forum that people can all contribute to. And it may always be this work in progress book that we can, you know, put out different versions informally on social media and things to help give people the content that they really need.
CP: I want to come back to something you said earlier about compliance being a box ticking exercise, because I think for lots of organisations they become hell bent on meeting compliance box ticks. You know, they get focused on investing in meeting the auditors expectations. And when I say auditors, and I'm sure you're the same, it kind of takes in anything from, you know, APRA, to ASIC, to internal auditors, external auditors, there are so many people now that want to have a look under the hood of organisations. And so I think businesses can get under pressure to use their cyber investment dollars to meet compliance obligations. How do you explain the value of being secure as well as compliant to companies who are just focused on meeting those expectations of a regulation or an auditor?
PW: Yeah, it's a really good point. I guess that's why security teams sometimes have this negative view towards compliance in the way that it can divert attention away from their real security objectives and the areas that they need that budget. I think, as I mentioned before, like, you know, the companies that do it well are the ones that see security and compliance as complementary goals. That use compliance as the way to get the investment, to demonstrate the value of investing in security, and actually using it the other way, so you get more budget, and then are able to distribute that budget more into the security objectives of the company, using compliance as the commercial driver for why you do that investment. But yeah, in terms of like the real value of the two, obviously, security it's about keeping your company alive, like literally, at least avoiding an Optus situation that we've seen, unfortunately, play out recently that can damage brand and trust, that may take many years to recover from. The value of compliance is really the trust that drives that commercial value. And so if people use it in the right way, you can use it as a leg up to good security. But as you say, if people are in the mindset, that compliance is just ticking a box as opposed to really trying to support the security objectives, that's where you can say that it doesn't work as well in practice.
CP: And in your view, or within your work maybe you're dealing with smaller organisations or start-ups, who then have to also face compliance obligations, what makes sense for these growing companies? Because, you know, lots of people talk about when you're in the start-up phase, you're just trying to get product out there and everybody's wearing multiple hats. And from a compliance perspective, it may be that that's the only security focus they might be looking at. Where should they start? They're cost constrained, they've got to justify expense to investors, what's your thinking around, you know, when should they start to look at security and what makes sense for them?
PW: My view would be invest as early as possible. Obviously, there's a bit of give and take, if you don't have a product yet, you're probably not going to go too far with compliance and security. But the analogy I've used or have heard used before, which I think really fits here is that compliance is like laying the foundations for your security programme. But also can be the foundations for scaling your company, it helps build consistency and helps have defined processes and things like that. You hear a lot of companies talk about the growth pains if they haven't got that sorted before they go through a growth period. So I think there is a really strong case for saying invest in compliance early. The maturity of investment markets now I think they very much recognise the value of compliance and probably security by extension. When we look at VC portfolios in Australia, we've got a huge amount of overlap with the clients that we work with and being invested in by Australia's leading VC companies. I really expect that those VC companies understand the importance of that investment in terms of being able to scale and win those larger customers. Doing it early and not retrofitting it later makes it a lot easier to do. So even if you don't, you know, if you don't formally commit to doing the audits and achieving the compliance standards, even just mapping out your compliance from an early stage and seeing what else you would need to do to get to that level, you can start organically working towards it and have it on your roadmap, as opposed to being caught out when you get to a certain stage and the enterprise says, well, where's your SCO2 report? And they say, what's a SOC2? You know, I think the expectation is becoming that people look at compliance a lot earlier. And even one of our partners, Citadel One, their platform is all about implementing high compliant infrastructure from day one. So you actually really factor in where you're going in the future and get the foundations right from the start.
CP: And do you recommend that start-ups partner with third party experts? Or should they have someone inside their organisation that's driving this, or both?
PW: Yeah, I think both for sure. The gold standard is that you have people on the inside, whether it's you've hired them full time, or you engage security and compliance consultants, and we have some really good partners that we've worked with for years across many of our clients. And there's just a huge amount of value to be had by people that actually invest in that and understand where they can benefit from that. Our model has always been developed to engage people as early on in the process as possible. We gear most of our fees towards the outcomes. We have a lot of flexibility so they can start anytime, finish anytime. And we offer a lot of free software and guides to our clients. And the point is really just trying to get them on the journey as early as possible because it gets the best outcomes for them. And that's really what matters to us, it's the long term relationships that we build with those customers and then do the annual audits thereafter. But we recognise the importance of getting people in at the ground level and started as early as possible.
CP: It is reality, but it's tough to think that the gold standard is to have a dedicated security leader or operator inside your organisation. It would be nice to think that that's one of the early hires, especially in a company that needs to have things like a SOC2 compliance or for any level of compliance, really. This obviously becomes more complex when we start to look at other geographies as well. And not just for start-ups, but for all organisations who might have customers or operations across the globe. How are you recommending that customers navigate sort of the regulatory minefield of operating in multiple countries? And how I guess they move forward in that respect, and should they be worried about entering new geographies because of the regulatory landscape?
PW: Yeah, it's a really good question. I mean, to start with, I don't think they should be worried about it. They should definitely plan for it, it's one of the core considerations for us expanding into the US market early next year. It's the compliance side, it's how do you get boots on the ground? How do you have the right budget to launch over there? Like there's sort of, you know, a big three or four things that you consider and compliance should absolutely be one of those, but not necessarily worried about it. I mean, most of our clients are cloud software companies. So they do export their product. And we see this challenge quite a lot. Previously, you could get by with questionnaires and things for all the different regulations and standards around the world. But now often enterprise want to see an actual audited, certified standard to prove that they are compliant. So our top tips are, clients really map out their compliance early to understand what's required and how they stack up across the different standards and regulations. We've got free software on our website that makes that easy. We also recommend they understand the drivers for the different standards. Do they have particular customers that are going to require it or particular market segments that they're targeting and different geographies that are really going to trigger those needs so they can get ahead of it and plan towards it? We do have a CXO guide for compliance that's focused on that point, which again, is available on our website for free. And ideally, I mean, this is part where we're a little bit biased to our own approach because we've really adapted it to solve this market need. But we think working with one provider is the way to go. It really removes the massive duplication between the different standards and regulations that are out there with particularly cross jurisdictional. So many standards are just so similarly focused, and then also building flexibility into the compliance programme to be able to adapt with the changing market needs. And often we see companies say, alright, we're launching in the US now, then we're going to launch in Europe, and then they actually switch that around. Or an enterprise comes up out of the blue and says, actually, you need this or we're not going to use your software, and that really prioritises one of the standards. And so that's what we recommend, they build in that flexibility to their programmes as well.
CP: So when you say flexibility, you mean, as an organisation, because enterprise wide, they would have to be different pockets of the organisation that are contributing to that compliance. So when you say be flexible, it's more about as an organisation, you know, being a little bit fluid about what controls need to be put in place at different times in order to meet those geographical regulatory expectations. Is that sort of what you mean?
PW: Yeah, spot on. I mean, if you visualise how it works, in our process, we map out all of the compliance standards and how the different controls and activities roll up into those different standards. And so we put that all into a consolidated compliance programme that they can filter. For example, we had a client that was expanding into the US, they wanted to target SOC2 initially. So they filter that board to just focus on SOC2, and let's say you've got 90 SOC2 controls, but that actually also covers 60 of those also relate to the HIPAA regulation, which is a health care data regulation. We had a client targeting that and then a customer came up and said, we need a HIPAA report, or we can't work with you. And so they flipped that prioritisation and said, actually, let's park SOC2 let's prioritise, HIPAA, and then the board gets filtered the other way around. And you go, okay, they've already implemented, you know, 50 of those HIPAA controls as part of their SOC2 work, now, we just need to focus on these residual ones, which are required for HIPAA, but may not be required for SOC2. So it's just having that flexibility. There's so much overlap. And it's the same core controls and the same core compliance framework that should really underpin all these standards. But just having a bit of flexibility with how you actually complete the audits and report on those different standards.
CP: I think it's a good thing that it allows for businesses to think through while they're going through this process of expanding into other countries, what the expectations are there because it can only benefit, the more compliance frameworks that they have to meet, surely it can only benefit them from a security perspective.
PW: Oh, yeah, absolutely. I mean, we're in this, we call it the compliance perfect storm, right. Like public expectations continue increasing, the regulations there's new and emerging ones all over, in particular, including privacy acts popping up in every region that people need to comply with. There's also you know, greenwashing and false claims out there. So people aren't trusting what companies just say, it needs to be audited and certified. And so all of this is just going into this perfect storm. Compliance isn't going away and the number of standards keeps increasing. But obviously, at the core under all of these standards, is good principles around security and managing a company in an effective way. And so I think the more of these standards you bring in, you know you will say, if you just went for a SOC2 or you just went for an ISO 27,001, they do have ways that you can kind of box tick and get through the process without maybe getting the best security fundamentals in place. But when you look at multiple standards, that's really where you can get caught out if you don't get the foundations right. And so I think, yeah, to your point there is there was a more drive of compliance, the more companies are going to be secure inherently from working through that.
CP: You spoke just now about greenwashing. And I've got a really growing interest in ESG. I'm probably going down a rabbit hole, reading books and listening to podcasts about it. But I'm interested to know a little bit about how the work you guys are doing is contributing to ESG reporting requirements. And I know globally, there's a sort of a real difference around how ESG reporting is coming together. And there's not a lot of mandates. But how are you guys contributing to that?
PW: Yeah, so we're a member of GRI, we're following different standards around the world and we're generally just very supportive of all of the developments in this space, wanting to collaborate and wanting to work with others. But actually, earlier this year, we introduced our own ESG framework. And then we built our software to kind of support that with the data points and with the different control activities, they can roll up into that framework. And then we're piloting our audit and reporting offering at the moment. So at the moment, we've got three non commercial pilots going on, while we explore what does that look like, how do companies actually get the commercial value out of this to justify the investment. As you know, the ESG market is just more immature. But I think it's really characteristically similar to the information security market 10 years ago, like people are starting to adopt it, people care about it. Early adopters now get a bit of commercial advantage. And I think we'll just see that continue to increase over the next, you know, 3, 5, 10 years, with it becoming a default expectation of companies, not just something that makes them an industry leader. In terms of the framework that we introduced, the problem that we say is there's all these ESG standards out there, but they're really designed for the top 1% of publicly listed companies. They tend to focus on ESG from a financial public reporting standpoint, looking at risks and opportunities related to ESG. And not necessarily just what has a positive impact and what is doing good for that company. And so it also has large scale programmes that are needed to manage it and high costs, obviously involved accordingly. And so the way we see it that's just not viable for 99% of the world's businesses, particularly in the market at the moment where there's not much maturity, and not much formal push for those 99% of businesses to actually adopt it. But obviously, there's still commercial value in it, like I talked about. You know, we're a B Corp, and that comes up in most of our candidate interviews, people want to work with companies that do good. Our employees say that they're proud to work for Assurance Lab. And obviously, that's hard to measure in our ROI. But I'm certain that contributes to our company's success and so there is definitely value there. And then there's also companies like CommBank, and Coca Cola, that do positively discriminate based on ESG factors. So they do ask questions about it, they do prioritise working with suppliers that can prove they do good in the ESG space. So I think all of that coming together will help push further investment in ESG compliance. And our expectation is it's only a matter of time until we see that translate into more audits, more certifications and reports that come through the line.
CP: Yeah, I mean, the interesting thing about ESG, obviously, or not obviously, but data security sits inside the social or the S part of ESG. And obviously risk sits under the G. There's not a lot of mandates around from a cyber perspective, what you need to report and what I've seen in a lot of sustainability reports and ESG reporting is that organisations will say, this is how many reportable cyber incidents we had, or we had zero reportable cyber incidents. That doesn't actually tell you very much about the cyber risk posture or positioning of that organisation. It just tells you that whatever did happen to them during the reporting period, they were able to contain it so it wasn't reportable. What are your thoughts on cyber as a reporting requirement under ESG?
PW: Look, firstly the thing that was really interesting for us building the ESG framework is just how much overlap it has with cybersecurity standards. They're really all underpinned by good governance as you said. Certain things sit in the E, certain things sit in the S, certain things in the G, you know, by classification, but they're all underpinned by good governance, effective management and operations of the company. So that was the first really interesting piece. When you build on that in terms of, I guess, a core foundation of that as well as transparency. So when you talk about like reporting of security incidents, and things like that, it all fits into transparency. And you do see some modern companies that are leaders in the space, really being proactive about reporting security incidents, and you see others like Uber that try and cover it up and come under a lot of fire. And it all fits that same theme that I talked about before. It's all about trust. Trust, transparency, building your brand and building your trust with your audience is just going to be so important to all businesses to succeed in the modern world where that trust is critical to company success.
CP: And you mentioned earlier about being a B Corp. And certainly I think that is a, it should be a badge of honour, you know it's not easy to get. But it does show, I guess, elements that allow both clients and employees who want to join your organisation that trust that, you know, they can trust that that is a mark of effort that you guys have put in to meet the expectations of B Corp. Is it something you always aspired to put in place? Or is it something that that sort of just came naturally? What was your thinking around getting a B Corp status for yourselves as a start-up?
PW: Yeah, thanks for asking. I love talking about our B Corp status. I've had a lot of questions coming from different people. And for us, it's really proven its ROI. Just in terms of how many times we do get asked by candidates, by other customers that we work with. We've won certain customers, because they've referred to how we're a B Corp, and that they really value that. It's something that I would encourage all businesses think about. It's certainly attainable. I mean, it is difficult, it took a lot of effort, there was a lot of time put into it. And it's probably one of the standards, it's a little bit harder to fake your way through it. Because you really do need to commit to the underlying principles of, you know, caring about your impact and prioritising positive impact as a company. But I think the key myth I want to sort of bust in this session is the idea that positive impact is a conflicting objective with profit. I absolutely don't think that's the case. I think everything we do, as part of our B Corp programme is considering profit and purpose as mutually supportive objectives, not mutually exclusive. And so yeah, I think it's great. I think it absolutely has ROI for us. And I think more businesses will certainly we'll see them adopting it in the years ahead.
CP: Well, congratulations on the B Corp status. Congratulations on Assurance Lab, the people I've spoken to who are clients of yours, rave about the service. And I think anyone who's trying to do security differently and support organisations to reach their profit and their purpose is in a good place and doing good things. So Paul, thank you so much for your time today and good luck with everything and hopefully we'll get to talk to you again on The Security Collective podcast.
PW: Sounds great. Thanks very much for having me Claire, appreciate it.