Streamline your saas sales cycle for security with signnow

How to create outlook signature

your company decides to undergo sock 2 and stand out in a competitive sas crowd as a security committed company but employees are now overwhelmed by manual admin workloads of preparation being disrupted for hundreds of hours delays in sales and growth are now a reality imagine a solution that makes getting sock 2 ready fast simple and smart scitel ai is the answer to make all your sock two workflows centralized and simplified in one place focus on your core business while we automate your evidence collection and monitor your controls 24 7. when non-compliance happens you are informed instantly your own policy center security awareness training assets mapping and audit management you may be thinking how great this sounds however you still need support to navigate through the process at scitel ai the road is never alone our compliance experts will walk with you right to the finish line we work how you work it's a tailored compliance partnership once you hit start we integrate your tech stack add your team perform a gap analysis and complete all action items necessary for you to gain ultimate sock to readiness to pass your audit successfully book a free consultation and see how you can count on scitel ai as your trusted compliance partner [Music] thanks for tuning in to the future of sas festival we really hope you're enjoying the event so far all sessions are designed so that you can interact with each other so make sure to join in on the discussion and have your questions answered by our brilliant speaker for all things sas related don't forget to check out the future of sas memberships simply head on over to our website to get started now sit back and enjoy the next session [Music] hello everyone and welcome back to the future of sas festival so today we've got an absolutely fantastic guest speaker uh joining us today so it's mayron gallis who's actually the ceo and co-founder of scitel and he's going to be discussing how to build trust and boost sales through smart security compliance before we get started though i'd like to invite everyone tuning in today to drop and say hi let us know where you're from in the chat box and also mehran will be answering your questions at the end of the session so without further ado i hand you over to our guest speaker today mehran galles thank you very much alex thank you for letting me am happy to be over here so nice to meet you all guys um and let's make fun in the next um 30 minutes so um about security and compliance for sas and this session gonna mainly be about how to build trust boot cells for smart security compliance for startups for sas companies uh which they have cloud-based platform they build in the product maybe they're already selling the product maybe it's around the seed around there or maybe around b and then they understand that they need to go for security compliance stuff like stock 2 iso 27001 gdpr um ccpa cmmc and basically it's endless so the session today is going to be about this one i will be discussing about the best practice about friends about what we're going to see in the upcoming future um so my first question does compliance equals security and that's a a very interesting question for those of you that already been going through compliance um not necessarily you will think instantly that the answer is yes um so it's very depend there are multiple framework out there and for security multiple framework for controls and actually it's require a combination of walk and we're gonna see uh during the presentation what you're gonna um what you're gonna see uh while from the beginning of the presentation comparing to the end of the presentation so keep this question in your mind and we'll see this um down the road now for those of you that already been going through compliance or for security audits maybe this picture will make some sense and everybody knows that we are pretty occupied during the year and then we gonna get for an audit meeting it's gonna be a series of meeting and actually what most of the company are doing also majority of the company are doing is that they are not operating effectively as monitoring their internal controls while they're but actually two three months before the audit they start working on stuff collecting evidence making sure that everything is all right and after they pass in the audit they they will have another nine months of of um just relax in the aspect of the relevant security audit so for us that uh that already been through compliance you may know that it's very demanding you need a and to honest stakeholders you need to speak with a lot of people um collection of evidence this is literally hundreds of evidence and then some external auditor and by third party auditor coming to the company and just asking you a lot of questions in which you need to prove them you need to um they walk the best methodology on trust but verify and they will actually deep dive and see how the companies literally operating um and literally equal actually so they're gonna ask from your stuff and proof and you will need to show them we don't want together we want that the other day will be just another day at work we don't want it to be some um special project that all the companies need to um join forces and walk strongly into and just achieving uh the successful results and passing the audits so why do companies need compliance first of all this is a customer requirement or in some cases this is just a low requirement of regulation and gdpr and cr and gdpr ccpa based on the country and the region you have multiple privacy regulations worldwide and so you have a regulator and you can get a fine and you can actually pay a lot of money if you are in having non-compliance and as of customer in many times especially for startups they trying to sell the product their champion actually love their product but then when they move on the the sales cycle they will interface their security department or maybe the legal department or their financial and department of all the compliance department and they will be required from you and to supply some kind of security certification so this is where you're gonna face the uh the half proof of security compliance second is competitive advantage if you have a solution and you have a competitor and they have more or less similar solution and you don't have any kind of security compliance that's mean that they will go through the security compliance faster than you and that's very good for them because then they get for their maybe procurement department and they're very close into closing the deal so that's why you want to have this competitive advantage also you want to build trust you want your customer and prospect to be trusting you you don't want security to fail the deal so this is very important and last but not least it's security standout it's actually going to build a very robust security standard in the company it's going to put out of some proper processes procedures organizational policies implementation of security stuff like multi-factor authentication code review as part of your software development life cycle proper risk assessment and etc so this is why it's so important um especially in the world after kovi 19 that many people working from home and for multiple countries and we're going to speak about that in a moment so the main challenges in security and compliance is first of all it's inefficiency all right you need to do hundreds of things literally hundreds of things manually that would say creating some documentation like policies and procedures and they work on their risk assessment role based access control review your sub service organization soak two reports and etcetera so this is vast and that's going to accumulate hundreds of hours from your time second it may be inaccurate first you need to understand the scope you will need to assess the scope and just make sure that you are in on the safe side you don't miss anything from the scope for example if your infrastructure is based on amazon um cloud services aws amazon web services um and also let's say you have some data customer data retained on mongodb by atlas if you may ever forget atlas to be part of the scope that means that the scope is not full it's not complete so that's a problem also this is a one year event this is not a continuous event the auditor will come and pass the company one year over a period of time it might be discussing about if you're speaking about sock too so the auditor will check the effectiveness of controls over a period of time and yet they will be uh their methodology will be based on populations and samples these are not very accurate that's the best they could uh they could do at the following in the past few years but that's about to change in my opinion and fred it's complex especially if you're not the chief information security officer if you are not the glc manager and the governance risk and compliance manager maybe you can be a cto an engineer vprnd operation manager it doesn't really matter your main job responsibilities is not security and is not compliance it's just another thing that you got to do and you need to pass it successfully on time with successful results because you want to to win this deal and it's complex that's required that's going to require some level of knowledge so another level of information and experience performing audits before you want to know where you are and when you're getting so that's mean a lot of reading and preparation before of it now key compliance pain points and let's separate this between startups and corporates because each one have their own pains for startups lots of time many like time invested in the wrong places instead the fact instead of the engineers will be spending or investing in time over engineering architecture code review maybe fixing bugs they will need to invest a lot of time or maybe waste their time over compliance second it's lack of knowledge and experience these are people that are not trained and didn't go through any education over compliance that means that they have vehicle knowledge no they can study they can learn but it's gonna take time and they may suffer from non-compliance and bad results and start up especially you don't want together third increased cost and bad results that's very painful you you end up paying more over labor hours over some additional tools consulting and and stuff that you didn't understand the total cost of compliance in the beginning and that just caused you losing more money um that you initially planned as of corporates and when we speak in corporates let's just assume more than 1 000 employees and so they have different challenges one of them is honest stakeholders can be 20 30 stakeholders really depend on the company i worked and i was auditing a company as my previous work that ey um and they had approximately 20 product uh 20 products and 34 and development teams and multiple and tools they also acquire in a company and that was a mess so honestly all the relevant stakeholders might be some difficult you they need to understand that this is at top and top buttons came in it's come from management you're gonna have and you will need the management support for this second multiple framework and product startup may only seek for stock to type 2 or maybe only iso 27001 as of corporate they will need to actually incorporate many kind of frameworks certifications regulations attestation reports and etcetera and managing everything managing the version managing the evidence collection redundant of all that's a lot of pain spread you're gonna have numerous of people and applications it's vast it's high scale and it might be very challenging so this is what you should look out for and when you're preparing for compliance another question every everybody know amazon web services um will anyone know how many compliance programs those aws comply with it's might be interesting question right because this is come on it's aws aws is fast so let's just rapidly walk through rapidly over aws m certification attestation regulation and framework sale following so you can see the global and in the global certification we can see iso and different type of iso iso 27001 and so on soft too which this is an attestation report and pci dss cloud security alliance and etcetera we're going to move on for europe in europe you're going to have some different stuff that's relevant for the european market you can see in the uk in germany in netherlands different places um americas in the americas also some other type in canada other type of certification and regulations and asia pacific you can see more stuff and eventually i counted it myself and it was 24 certifications and attestation plus another 15 frameworks and enlightenments that they were in compliance another five laws and regulation and 30 privacy regulations end up for 74 um total compliance that aws need to follow every single year all right so this is this is robust this is bus but still it's aws so if you're taking this on a scale of a startup 10 employees five employees 50 100 maybe 1 000 um so it's going to be a little bit different but still you need to brace yourself because external audit is coming and it's gonna be maybe only one maybe more than one so you will need to prepare your company now um the most common frameworks that we identified first of all the stock 2 and iso 27001 which i'm going to speak about them very soon you can also find the hipaa nitrous for the healthcare industry the pci dss for the credit card and payments and processing ccra ccpa and gdpr which are the privacy regulations for and europe and the united states and the cmmc which is very relevant for um for the united states and basically discussing about the um the cyber cyber security maturity model certification so it's vast there are many more but let's just focus right now what's relevant for startups in regards for security in compliance it's gonna be suck too and iso 27001 now what's the main difference between the two because that's a totally different approach first so to look backwards iso 27001 look forward for continuous improvement now while it's looking backwards it's actually be based stock2 is based on accounting audits it's evolved from accounting audits so they have a trust but verify principle they're gonna ask from you hundreds of pieces of evidence in order to prove uh uh prove the control it's very relevant for the united states because it's based on the american institute for certified public accountants so that's mean if you have some business activity in the united states most likely it's not a question of if but the question of when you will need to follow the stock too um it's going to take six to 12 months and require a proximity for a small startup and two to hundred dollars a year uh now while the extra 27001 look forward for continuous improvement it's based on the international organization for standardization and based on the isms information security management system both of them are global and one is certification the stock 2 is an attestation report um it's going to take less time in my opinion especially for full startup is very much based on policies and procedure but you should take both of them in consideration while assessing your business objective and business strategy where when for me which market would you want to penetrate in the in the next year so that's going to be very relevant and and while doing so you will need to understand that's going to be a very picky wall like you'll need to do many managing lots of excel with many a google sheet and walls in email and you will need to find an auditor for every certification of at the station it's going to be a different auditor so it's very uh crucial from whom you choose and how you're going to walk through the process um now you want to bring someone with experience or maybe find a trusted partner that can take you through the process that's how it's going to look like when i was doing audits that's how it looked like i was literally collecting lots of evidence i had a testing procedure and for which one i had the testing results now i had companies receive deviations and also negative auditor's opinion this is too bad but in some cases it's happen um so you don't want to get there you want to work effective and in order to work effective i will share a few tips in a few minutes regarding the trends in compliance so at 2022 we see the remote world it just increasing more and more people working from home even if it's not full-time it's part-time it's 60 40 people walking remotely um now it's not necessarily have to be only from the same states we can find people from in the united states working in the united kingdom people from the united from the uk working in thailand or working in japan or walking in israel or you name it so we live in a broader world and we need to accept it how do you manage your i.t fleet either you're gonna send computers you don't have the physical access anymore on the clean desk anymore what you're gonna do then so that's interesting because it's changing literally changing the world um and after that also sharing compliance culture with stakeholders bold management customers business partner um many people will want to understand what is your compliance poster they want to trust they're looking for reason to trust you so you should be better give the give them those reasons um also you're gonna see lots of cloud adoption mainly for uh enterprises not only for startup in which we can already see this today in the public and a hybrid cloud we can also see huge corporates also governments actually migrating to the cloud and outsourcing compliance because today it's very difficult to find people that actually have experience and knowledge regarding information security within information security for governance and compliance and in this domain to be specialized in specific frameworks so our s in compliance just makes sense because it's very difficult to find their um good employees and that people that actually can give you and take you wherever you want to go so this is what makes sense outsourcing compliance save money and move fast and multi security frameworks we see every year it's gonna just increase you will need to have more and more security certification at the station and comply with privacy regulation and etc eventually we see also emerging technologies which we need to understand are we gonna audit them um so uh like the ai engine that can get an autonomous decision and the blockchain technology which is very interesting auditing blockchain and auditing through blockchain so we're gonna see big shifts in this area also all the autonomous vehicles that we've seen what's gonna happen with their operating system because we're speaking about life about a life of people so it's extreme extremely important to make sure that we don't take any risk when it comes to life of people um another trend is that we're gonna see shift from the traditional certification into the continuous certification and i brought this one from the cloud security alliance and this is not a a a thing of the future but this is actually start happening right now there is um people and entities like the cloud security alliance and continuous audit work group developing a framework and guidelines into how you can audit continuously your environment creating a machine language understanding that and trans transforming that that traditional audit to be from a yearly basis to be on a monthly basis hourly basis and and maybe in many basis every minute an automated system will be expanding your environment so how should you approach security and compliance that's a great question um now benjamin franklin said if i had six hours to chop down a tree i'd spend the first four hours sharpening the axe in other words plan carefully work on the planning you don't just want to go out there and and make mistake and waste time and money um so the pre for preparing for an audit you will need to work on scoping and planning and walk carefully on that bring someone that you trust it can be a friend it can be some special trusted partner anyone that you can trust speak with the guy explore his understanding and knowledge regarding security compliance ask about his experience see how many successful project is so far next find a business object or define the business objective and timeline identify the stakeholder um identify which relevant technology solution and technology uh tools and environment you use what is the policies and procedure you need to build them you need to build stuff that's actually correct for the company um and max this is a must have a top-down approach you must to get management buying they need to understand the project they need to support you you will need the support eventually building management security review put the security as part of the bold and management this is part of the sec and a sox regulation and we're going to see this not only is that of regulation that's not to be the incentive for modern management discussing security that should be just a monthly thing that you'll understand what are the risk and what could happen if so i think that's the main idea over here another uh just an example of a architecture like how you can transform the security compliance and by connecting with multiple 100 like dozens of integrations collecting evidence on a daily basis and identify compliance issues in real time you're gonna increase your level of security compliance in hundred percent and decrease the number of hours that you will need to invest in compliance um in a very uh very maybe in 80 to 90 percent also regarding security and compliance module everything is centralized it's one place you need to have a single source of truth don't manage and do a redundant work and don't manage a version every year um honest all the stakeholders in the same place and this is how you want to manage your security compliance um why you should automate compliance it's going to save your time you're going to stay compliant you're going to boost the customer trust and it's gonna make complaints easy not all of us are experts for security compliance some of us just want to understand what's the minimum required that i actually need to do in order to get this certification i want to be certified i have a deal and i want to be certified what i need to do so this is another reason why you should automate your compliance and also find this expert you don't need only the platform you also need someone to speak to make sure that you are on the right track to brainstorm to ask this tough question what should they do i have a contractor 80 you walk in with his own laptop should i deploy my agent should design nda should be sufficient what i should do that's why you should have somebody that you trust now we almost done it was very quick but speaking about the future of compliance actually the future is here we already seen continuous monitoring and robotic process automation um audit management the past we actually used to to um do a transport and visit on site and do audits on site for five days two weeks it's depend today everything not everything but majority is still remotely advanced data visualization you want to get some insights what's going on you don't want to lose your end and fin and and foods advanced data analytics you want to leverage technology including artificial intelligence and machine learning because you want to take all these repetitive audit tasks that you need to do on a continuous basis you would like to put them you want to put them and to make them automated and you want to invest your time on those strategic decisions that you will need to have so this is why it's so important um and we're going to see more and more development and actually already happening so those compliance equals security um absolutely absolutely yes if you take it seriously don't use the mindset for mindset of checking the box you need to see the value if you don't see a value don't do it i serious if you don't see a value in a control if you don't understand what is the risk in a control and you think that you're just gonna and check the bots maybe you shouldn't do it like every debate with your auditor try to understand have a debate internally and that's what you should do and continuously pushing this forward now thank you very much everyone regarding if you would like to learn more we just um we just went out with our new sock to academy it's the first software academy in the world you're gonna get you can get and be certified for suck too uh master implementer is for free we just want to all startups like ourselves um you can learn stuff and do it yourself and i wish you all good luck and hopefully you will get your security certification and scale fast and close those deals so thank you very much and um alex it was a pleasure uh thank you very much for that presentation maeran um i like the quote from benjamin franklin a lot nice who added that in there um so now we've got time for a couple questions and so if you'd like to put those in there we'll get straight to it so we do have a question from james and he says how do you know which bris to assess in an iso 27001 oh that that's a very good question uh i i i'm not sure that we're gonna have the time just reach me out personally in a very high level you need to have a gap analysis for your information security management system and annex a aka statement of applicability you will need to define which controls are applicable which are not applicable if something is inapplicable why it's inapplicable for those that are applicable maybe you need to create some stuff and maybe you need to understand the overall overall risk so um that's just in an essence and we also have some great um great articles and guides on our website so you are welcome visit there and i'm sure it's gonna assist you thank you for that mehran um also we have added the socktube bible at the top there so feel free to download your copy there so we do have another question from jonas stock he says thanks a lot one question how much does it cost on average to get the first iso 2701 when using a tool like scitel without using something like cyto that's a great question and i'm sorry to be a bummer but it's depend it depends what's the size of the company how fast you want to go who's going to be your auditor um what's going to be um your scoping of the project um jerry very generally speaking um including the auditor fees including cycle um cycle what we do is not actually only leveraging technology it's mainly saving your time want to save 90 of your time so if it's gonna take you 250 hours preparing for the iso 27001 think that it's going to save you 225 hours it can be approximately twenty and twenty thousand dollars to twenty two point five thousand dollars so that's what we're gonna save you um we save uh at least fifty percent of this price this is the the roi that we've seen why companies should work with us actually save 90 percent of the time and making the preparation for work to take weeks instead of one month and allowing the employees focusing on their core business and not moving aside for security and compliance thank you another question what tools does this platform integrate with looking at streamlining my company compliance journey oh that's a we have dozens of integration dozens and the big cloud providers um email services identity management platform all of the ticketing system human resource system recruitment system um we have endpoint unifying management databases you can check up on our website we have a special page it's called integration you will be able to find it over there and if you don't find please send me a message because we have a very extensive roadmap and we just keep implementing more and more faster it's definitely should address all of the startup tax tech for security compliance like iso 27001 and full sock too perfect thank you so much vladimir and that sort of brings us to the end of the webinar i hope everyone enjoyed it and i hope you also enjoyed that as well maeran also just to quickly plug we do have a podcast coming out very soon with uh mehran so he's going to be diving deeper into what we've discussed here so stay tuned for that and also make sure to downl at the top there so see everyone in the next session and thank you again mehran thank you very much for having me alex it was a pleasure thank you guys cheers no worries bye