Introduction

The host introduces the podcast and explains its purpose.

Welcome to Compliance Uncomplicated

• Compliance Uncomplicated is a podcast series that simplifies the complex world of risk and compliance.

• Each episode features high-growth startups and other brands building compliance pathways towards a culture of security.

• The podcast aims to unravel jargon, abbreviations, and uncomplicate compliance.

Episode Introduction

The host introduces herself, her co-host, and their guest for the episode.

Meet the Hosts and Guest

• Kayla is the host for this episode.

• Tamisha Young is Kayla's co-host.

• Audra Notin is the director of compliance at Oyster, who will be joining them as a guest on this episode.

Introducing Tamisha Young

Tamisha Young shares her background with listeners.

Meet Tamisha Young

• Tamisha Young is the senior audit alliance manager at Drata.

• Her role involves connecting thousands of customers with auditors that meet their needs through Drata's platform.

• About 80% of Drata's customers find their auditors through Drata.

• She ensures that auditors have all necessary resources, tools, and training to be successful using Drata's platform.

Introducing Audra Notin

Audra Notin shares her background in cybersecurity and internal auditing.

Meet Audra Notin

• Audra Notin has a non-traditional background in cybersecurity and internal auditing.

• She has a degree in organizational psychology and an MBA with a finance focus.

• She enjoys art as well and loves traveling to visit modern art museums.

• Audra finds that compliance allows her to focus on process improvement and look at organization-wide processes.

• She has worked in healthcare compliance, risk, and audit for a major railroad in the US before joining Oyster as the director of compliance.

Audra's Career Path

Audra shares how she discovered her passion for compliance.

Discovering Compliance

• Audra started in finance and had a stop in HR analytics before discovering the profession of compliance.

• She enjoys looking at how organization-spanning processes operate effectively.

• Compliance allows her to help organizations be more effective in their processes.

• She spent several years in healthcare compliance, risk, and audit before joining Oyster.

Scaling Quickly in Healthcare

In this section, the speaker discusses her experience working for a private equity-owned healthcare company and how they had to be thoughtful about their processes when scaling quickly through mergers and acquisitions. She also talks about how she applied this experience to building a compliance program at a startup.

Thoughtful Processes for Scaling Quickly

• When scaling quickly through mergers and acquisitions, it's important to be thoughtful about each process.

• Building a compliance program at a startup requires setting strong foundations that can accommodate growth.

• It's important to consider whether manual processes will still work as the company grows and more systems and employees are added.

Selecting an Auditor for Compliance Needs

In this section, the speaker talks about how Oyster selected an auditor for their compliance needs. She discusses the importance of finding an audit firm that understands startups, technology, and globally distributed companies.

Choosing an Audit Firm

• Oyster started by finding a software partner (Drata), which helped them find audit firms that worked with Drata directly.

• The speaker chose Drata because of its in-depth evidence and looked for an audit firm that understood startups, technology, and globally distributed companies.

• Some audit firms have thinner processes than others when it comes to small startups without mature environments.

• Oyster lucked out with their audit group, which was willing to engage and learn with the organization while leveraging Drata's platform to the fullest extent.

Finding the Right Auditor

In this section, the speaker discusses how to find the right auditor for your company and what to look for when making that decision.

Tips for Choosing an Auditor

• Talk with people who will be working with you.

• Understand their background and experience.

• Determine if they are more tech-focused or have more SOC/ISO experience.

• Be mindful of how much support you need and if there are additional costs associated with it.

Oyster's Mission

In this section, the speaker talks about Oyster's mission and how they are bringing jobs to people in countries where opportunities may not have been available before.

About Oyster

• Offers a software service platform for organizations around the world.

• Enables companies to access talent that may not be available in their area.

• Ensures information is handled properly with IT controls, privacy controls, etc.

Building Strong Foundations at Scale

In this section, the speaker discusses the importance of having organization-wide buy-in around security and compliance initiatives as companies scale.

Importance of Organization-Wide Buy-In

• Use bullet points to provide a detailed description of key points and insights. Each bullet point is a link to the corresponding part of the video. Do not exceed 4 bullet points per section or 25 words per bullet point.

• Having organization-wide buy-in is crucial as companies scale.

• Security and compliance initiatives should be prioritized across all departments.

• It's important to have a culture of security and compliance.

• Regular training and education can help ensure everyone is on the same page.

Understanding Compliance and Priorities

In this section, the speaker talks about how compliance can be used to connect with stakeholders outside of compliance. They discuss understanding the priorities of departments not related to compliance and how it can help in creating scalable processes.

Connecting Compliance with Stakeholders

• Compliance professionals need to understand the priorities of departments not related to compliance.

• Understanding goals that are not directly related to compliance helps in creating scalable processes.

• Focusing on mid-market companies means working with sophisticated customers who have certain expectations, including talking to compliance.

• Taking something that resonates with external stakeholders and using it as a starting point for discussions around compliance makes it easier for everyone involved.

Measuring Success

• Success is measured when other departments reach out saying they are doing something because it supports a specific aspect of compliance.

• Ongoing partnership and stepping outside of our role is important in building relationships.

Navigating Security vs. Compliance

In this section, the speaker discusses how security is part of the overall framework of compliance but doesn't necessarily address all risks an organization has. They talk about weaving security into other aspects of an organization through compliance.

Security vs. Compliance

• Compliance is an overarching concept, and security is a part of that framework.

• Having security covers part of the risk an organization has, but it doesn't address all risks.

• Compliance helps weave security into other aspects of an organization.

Approach to Security

In this section, the speaker discusses their approach to security and how they integrate learnings to be proactive. They also talk about being reactive and having systems in place for incident reporting, business continuity, and disaster recovery testing.

Integrating Learnings

• The speaker believes that everyone wants to do the right thing when it comes to security.

• They aim to make it easy for people to do the right thing by streamlining processes.

• Compliance adds value by looking at processes and identifying potential risks.

Being Reactive

• The reality is that something will go wrong eventually.

• Systems are in place for incident reporting, internal policies, roles and responsibilities, business continuity, and disaster recovery testing.

Getting Buy-In

• Compliance initiatives are aligned with overarching business goals.

• Compliance looks through all objectives around the company to find spaces where compliance could add value.

• Empowering people through understanding overall global organizational goals is key.

Framing Compliance Initiatives as Business Drivers

In this section, the speaker talks about how they frame compliance initiatives as business drivers. They discuss using an OKR framework for measuring objectives and key results. They also mention some successes they've had with salespeople who were not educated enough on cybersecurity items.

Using an OKR Framework

• The company uses an OKR (Objectives and Key Results) framework for measuring objectives and key results.

• Compliance looks through all objectives around the company to find spaces where compliance could add value.

Successes with Salespeople

• Salespeople were not educated enough on cybersecurity items.

• Compliance took on answering customer questionnaires as a task while empowering and educating sales partners.

• A database of answers was created so that salespeople could easily access information needed for customer questionnaires.

Becoming SOC 2 Compliant

In this section, the speaker talks about their experience with becoming SOC 2 compliant and shares tips on how to approach the process.

Defining the Scope of the Project

• The first step was to define the scope of the project.

• This involved understanding what software support and external auditors were needed.

Bettering Readiness

• The team wanted to do both SOC 1 and SOC 2 at the same time.

• To keep momentum going, they started discussions with external auditors early on.

• They had almost nine months with them before starting the actual monitoring period for their very first SOC 2 type 2.

Tips for Approaching Compliance

• Automated controls make it easy, but remember that they are not your mean time investment.

• Planning ahead and having a strong project around doing risk assessment is important.

• Formalizing policies takes time, but stakeholders need to know that they will have to invest time in it.

• Allocating all necessary time needed is crucial.

Personal Lesson Learned

• After three months of type two compliance, they reached a good point where they knew they were ready.

The Importance of Ongoing SOC 2 Compliance

In this section, the speaker emphasizes the importance of ongoing SOC 2 compliance and how it is a continuous process that requires constant attention.

Ongoing Monitoring and Policy Reviews

• After completing the initial monitoring period, ongoing monitoring is necessary to ensure continued compliance.

• Annual policy reviews are also important to keep up with changes in infrastructure and processes.

• It's important to communicate to stakeholders that SOC 2 compliance is an ongoing exercise.

Benefits of SOC 2 Compliance

• SOC 2 compliance can lead to time savings when answering customer questionnaires.

• Sales teams can benefit from having SOC 2 compliance as it becomes a natural part of their pitch.

• Having SOC 2 compliance can reduce the need for long explanations when dealing with security questionnaires.

Building on Initial Compliance

• The second year of compliance involves more detailed risk assessments and streamlined reporting.

• As the tech stack changes, it's important to account for new risks and opportunities.

• Ongoing communication with stakeholders about what it means to stay compliant is crucial.

This transcript was already in English so I did not have to translate anything.

Advice for Companies Beginning their Compliance Journey

In this section, Audra Baker provides advice to companies who are beginning their compliance journey and are unsure where to start. She recommends having a roadmap and goal posts to look at as you consider the program overall.

United States Department of Justice Guidance for Effective Compliance Programs

• The United States Department of Justice guidance for effective compliance programs is a long but thoughtful document that outlines what the compliance program should be.

• The guide has evolved through the years and includes elements such as having policy and procedures, a Chief Compliance Officer that reports to the board of directors, reporting compliance monitoring, risk assessment, among others.

• As this guidance continues to grow, it's important to ask yourself questions like where your organization is if you need to start from somewhere. Having the Seven Elements plus risk assessment is a really solid place to start.

Oyster's Mission

• To learn more about Oyster's mission and how they are making a positive impact in the world, visit oysterychar.com.

Evolution of United States Department of Justice Guidance for Effective Compliance Programs

In this section, Audra Baker discusses how the United States Department of Justice guidance for effective compliance programs has evolved over time.

Evolution Through The Years

• The guide started many years ago with very basic guidance on giving elements of a compliance program by talking about having policy and procedures, having a Chief Compliance Officer that reports to board of directors, having reporting compliance monitoring other baseline aspects.

• Over time additional guidance was added about how things should be conducted. At some point risk assessment made its way into the element of compliance program.

• As this guidance continues to grow, it's important to ask yourself questions like where your organization is if you need to start from somewhere. Having the Seven Elements plus risk assessment is a really solid place to start.