Get ready for outbursts of profanity from compliance managers…

[Pharma ad voice-over]: Do your customers quickly forget your security certifications?

– Do customers’ auditors repeatedly ask for the same security control information?

– Do you wake up in the middle of the night, wondering why your security certification isn’t good enough for your customers?

If so, then you may have “Supply Chain Compliance Deja-Vu”… 

</end pharma ad voice-over>

Yesterday, I was speaking with a friend who is a compliance officer at a major SaaS software solution provider.

Apparently, new supply chain security initiatives have resulted in some frustrating inquiries by auditors their customers: 

compliance training shouldn't be your only focus. Image of binoculars

Photo via Getty Images & Unsplash+

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for phishing, social engineering and working from home.  (Normally valued at $450 USD)

Use Promo Code: 6WEEKS

1. Auditors ask the same questions as those in their valid security certifications (i.e. SOC 2, ISO 270001, PCI, etc.)

2. They require details on “how” the controls are implemented.

3. They require new forms to be filled out, rather than just noting, “Covered in SOC 2 control [X]”.

I’m not saying it’s not important for customers to have the assurance that their suppliers are secure. But this seems really inefficient to me.

The suffering of suppliers could be reduced if there were a solution that could ingest all of their security certifications and policies, and allow smart querying.

I imagine typing in a question like, “How do you detect malware on all endpoints?” and the solution would find the certification responses, policy requirements and maybe even implementation documentation.

There may be a solution like this already. Let’s help relieve the suffering of our compliance managers.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.