By Paulo Rodriguez, below, Head of International, Vanta
As a business grows and matures, compliance becomes ever more important to demonstrate. After all, it’s tied in with sales and procurement and many larger organisations will only work with suppliers that prove their compliance to regulations such as ISO 27001, GDPR, or the US-favoured SOC 2.
This is good business. What demonstrable regulatory compliance offers, above security and privacy, is a way to judge the capability and resilience of a business. This is another way of saying that a compliant business is a trustworthy one.
However, getting there, and proving it repeatedly to evolving customer demands, has generally been a long, drawn-out, and expensive process. All the steps are vital but tedious administrative overhead. They include tracking and staying on top of user credentials, securing software and devices against vulnerabilities, and getting required proof into the questionnaires customers ask their suppliers to submit. Plus, the landscape is ever-changing. So, staying on top of compliance is a whole other task once it’s been initially achieved. Firms cannot ‘do’ compliance in one go, and once they’ve ‘done’ it, it does not persist.
But when SMEs conceptualise compliance as a cost centre, they aren’t seeing the full picture. Demonstrating compliance is not a top-down mandated barrier to profitable activity. It’s the stepping stone to unlocking bigger, higher value customers. Trust is at the heart of commerce, and demonstrating trust is the core of compliance and security. Managing that trust is an area to compete on to grow market share faster.
Winning on trust
Digitisation has given SMEs the power to promote themselves to a wider pool of prospects and better service more and varied customers. Of course, it offers the same benefits to large enterprises, but they use technology with a different customer service style, selling a more commoditized, less personal service.
SMEs have always banked on winning through offering a more personal, trusted service. Ironically, it’s only through digitalisation that smaller businesses can possibly manage the business and technology administration that comes between them and profitable time with their customers.
With business operations built on a digital foundation, the two big bugbears are security and compliance. These have grown more challenging with remote working, cloud computing, and the greater use of APIs and apps – all contributing to widening the security ‘perimeter’ and creating new areas of risk.
Strong compliance and effective security also directly protect profits and business continuity. A resilient business can outlast and outperform its rivals and drive down costs relating to cyberthreats and IT inefficiency. Trust can accelerate revenue growth when the business can outcompete on speed and efficiency during tenders – demonstrating trust quickly, time and again when asked by enterprise customers for proof.
The digital native automates
We live in the digital world, so automate. This is the most useful advance of recent cloud computing and digital transformations – and a very necessary one for SMBs lacking dedicated IT teams. Big customers request proof of compliance through security questionnaires – usually spreadsheets. But spreadsheet risk is a known issue, and businesses have been discouraged from relying on them for many years. The ICAEW says that 90% of spreadsheets may contain faults. They are prone to human error of many types and may be superseded by events and quickly rendered obsolete, yet many SMEs will use them as a vital repository of information, as a cheap and mostly user-friendly tool.
Relying on static sources of business information means the business is not operating in real time, and cannot look ahead to see rapidly growing areas of risk. Additionally, the volume and speed of information provided from business operations and digital infrastructure is too much for an SME’s IT team (if there is a team) to manage when a customer requests a security review. Their time gathering the answers for the data request means time away from building, maintaining, and securing the business.
Automating the workflow of gaining compliance speeds the process from months down to days, and the workload from a focus on discovery to action and remediation. It’s a natural outgrowth from the automation required in the cybersecurity field where the volume of data, logs, and alerts quickly becomes overwhelming without something shaping the flow and directing human attention to where it’s most needed. Distilling this noise to a filtered view enables the SME to act where it’s most needed – patching critical risks or providing maintenance before a service fails. Automation services also enhance the power of the human in control and allows them freedom to spend more business-directed time.
Using automation in trust management (the business software category covering the planning, execution, and demonstration of security and compliance) also helps to enrich data with contextual insights. By telling users what the data means, smarter software helps SMEs begin to track and then remediate issues more demonstrably. It speeds up the whole workflow, allowing businesses to hit compliance goals, prove them, and leverage that success immediately.
Far from box-ticking, SMEs can now show off their compliance to prospects easier and earlier – winning more business while peers are still getting to grips with their technical back end. Investing in the automation that empowers people is the only way to allow skilled professionals to shine in their roles and compete on trust in the marketplace.