S3 E29: Integrating GRC Tools Into Your Compliance Program

Audio version

Integrating GRC Tools Into Your Compliance Program

Transcript


Jordan Eisner 
Here we go. Glad to be back. Another episode of Compliance Pointers if you were to take a sample of compliance pointer episodes over our three years and you just pick one, you know, pin the tail of the donkey. And if you guess that the guest was Brandon Breslin, you’d probably have at this point about a 20% chance of being right. So no surprise.
Here and they can see clearly on video. We’re joined by Brandon Breslin again. Brandon, thanks for doing this again, man. I’m starting to wonder if you sleep.


Brandon Breslin  

Thank you. Thanks for having me, man. I’m shocked you get you haven’t kicked me off the podcast yet. So thanks. Thanks for keeping to bring me on. I’ll take it as a compliment.


Jordan Eisner  

Of course, hey, I mean, I read between managing how many, how many people do you have on your team?


Brandon Breslin  

We are now growing with our healthcare group merging in. So we’ve got 16 total now, and we’ve got a couple of your folks now affiliated with the Sales team.


Jordan Eisner  

OK.
Sure. But you are responsible for 16 people, hundreds of clients and you’re still doing more podcasts than anybody else in our group. So you’re and you’re and you’re now a father of two. You have what, a one-month-old at home and not even.


Brandon Breslin 

It’s the most fun part.
I am. Thank you.
We are enjoying the life of having two kids now. Got a 3 1/2 year old and a one. Yep, a little bit over a month old. So it’s it’s great. Yep.


Jordan Eisner  

And I don’t see any bags under your eyes. So you’re, I mean, you’re sleeping. I don’t know how you do it. I mean, not just because of the baby, but because of everything else. Incredible, man.


Brandon Breslin  

We’re slowly getting in a better routine. It takes time. It takes time.


Jordan Eisner  

Yeah.
For our viewers and our listeners that don’t know, Brandon is our Practice Director of Security Assurance. Security Assurance at Compliance Point covers PCI, SOC 2, ISO 27001, 27701, 22301, 42001 and also HITRUST and not only audit work, but also readiness, consulting, advisory. So a whole host of certifications, attestations, frameworks, really all around data and how organizations are securing and protecting.
He’s got more than a decade experience in PCI in particular, but you know, Security Assurance in general, right, in some of these other areas comes from a big consulting firm prior to compliance point, but I think you’ve been here, is it over three years now?


Brandon Breslin  

A little over three years, Yep.


Jordan Eisner  

Yep, and uh, I try not to what?


Brandon Breslin  

I’m quiet.
Time flies, man.


Jordan Eisner  

When you’re having fun, right? And having kids and managing 16 people and doing 40 podcasts.


Brandon Breslin  

Exactly.


Jordan Eisner  

Uh, and he’d also be very upset with me if I didn’t mention that he’s a UGA grad, especially as we get close to football season. That needs to be known.


Brandon Breslin  

We’re counting down the days.


Jordan Eisner  

Yeah. In Brandon’s line of work and his employees line of work, they are or the clients are and they are leveraging GRC tools quite a bit. And that’s really the topic today. We’re going to talk about how organizations can leverage GRC tools in the compliance programs.
To not only prepare audit packages for any handful of audits and certifications I just mentioned or attestations, but also just to increase security, posture and other things and leverage AI of all things, there you go. We dropped AI so this can be trending now wherever it’s posted. But of course we’re going to be good.


Brandon Breslin  

There you go. You got to include A and I. If it’s a podcast in 2025, if you’re not having AI in a podcast in 2025, what are you doing, right?


Jordan Eisner  

In the AI here, so yeah.
Exactly. Exactly. If you’re not having a podcast in 2025, yeah.


Brandon Breslin  

That is, yes, well said, well said.


Jordan Eisner  

Yeah, yeah. But we’ve been here. We’ve been here years, years of doing this. So, Brandon, for starters, for an organization just beginning their journey with GRC Tools, what’s the most critical first step they should take?


Brandon Breslin  

That’s true.
I can give some background too on you know the GRC space is continuously evolving. We’re seeing more and more of our clients purchasing tools either off the shelf or developing their own tools more often. So, purchasing off the shelf just because of the complexity and the overhead that comes along with developing your own, there are still some organizations that are that are out there that don’t have a GRC tool yet and that’s OK, right. I would say more of the mid, the mid-tier, the mid market and the larger companies are the ones that we see more often.
There’s so many out there, right? I think before you even get to that point of selection of a tool, I think you first need to have a conversation with your executive management if you’re if you’re a compliance officer or charged with governance in some sort, in some form or fashion.
Have a conversation with senior management, executive management, with your company leadership. Figure out first, does it make sense to have a tool? Do we have the budget for it? You know, does it align with our business objectives, right? You know, have the have the extensive conversation.
What’s our scale of our business? What are our future goals? Does having a GRC tool make sense for the organization? Most of the time the answer is yes, but not every organization decides to go down that route.


Jordan Eisner  

Yeah, and there’s many shapes, sizes, prices, models, modules. That’s part of it, OK.
What? Uh, so that’s coming from.
I would assume all those things that you need to do as a first step are because there are common pitfalls if you don’t do that. So next question would be what are some common pitfalls or mistakes you see organizations when they’re implementing A GRC tool or when they’re selecting one that can be avoided?


Brandon Breslin  

Yeah, it’s a great question. So I would say that first question, that second question kind of blend, right. I mentioned that you need to, you need to have a conversation with executive management or senior management company leadership. If you are a compliance officer, if you just start going down the route of developing a business plan without getting approval from your company leadership.
You might be running into, you might be going into an empty tunnel. There may not be the end of a potential approval for a purchase of a tool right down the road. You wanna make sure that from the beginning you get that approval and that you’re in line with.
With their objectives as well, not just even for your own group or or maybe even the compliance frameworks that you as an organization are looking to, you know, be compliant against or be certified against. That’s a critical piece and we’ll touch on that. I’ll touch on that here in a minute.


Jordan Eisner  

Yeah.


Brandon Breslin  

But I think the number one first core objective is making sure you’re getting approval from your company leadership. And I’ve mentioned it now three or four times because we see it so many times where the compliance officer or somebody in charge in charge of governance or or data protection or some type of compliance role in the organization just goes off and says, hey, we need this tool and it gets denied or they’re not able to move forward. There’s too much red tape because they don’t have that clear conversation or that extensive conversation with their company leadership. So cannot underestimate that piece. Starting small, scale it up, right? Look at, you know, I mentioned compliance frameworks. If you’re going down the route of, you know, maybe SOC 2 or NIST CSF or ISO 27001 PCI, right? Understand first what are the needs of the organization before you even get to that point of selection of a tool.


Jordan Eisner  

Yeah.


Brandon Breslin  

Most of the tools now include crosswalk, crosswalk and cross mapping or, you know, there’s so many terms out there that mean the same thing, basically aligning different controls to different frameworks. Most of them do that, right? That’s the core, you know, process of the GRC tools along with retention of evidence or validating testing out of the controls and all of that, making sure that you’re, you know, not at risk for any missing any of the requirements or controls on those frameworks. There’s all of those elements that we can get into, but I think the biggest pitfall #1.
Not getting approval. Second, getting a tool that doesn’t align with the frameworks that you’re going to be compliant against or that you’re looking to validate against. You know, maybe also training I think is a good one, right? If you’re in an organization more on the larger side, if you have an entire committee. Charged with this, if there’s just one person running, running the show and nobody else is on board, right, that can result in some challenges. Or if not everybody’s trained specifically on what needs to be included in the tool or what needs to be part of the selection process, that can.
Pose a challenge as well.


Jordan Eisner  

Yeah. Or or how to use it, right?


Brandon Breslin  

There’s also obviously the, yeah, or knowing how to use it. Yeah, exactly. So that’s a good point. We can touch on that too is, you know, kind of going forward of after you’ve selected a tool, it’s so important to work with that company that you either purchased it with or customized it with or both.


Jordan Eisner  

Yeah.


Brandon Breslin  

And make sure that everybody that’s going to be using the tools trained on it is aware of its capabilities and that you’re actually getting the value of what you purchased.


Jordan Eisner  

Yeah. So you hinted at it, right? One of the things we wanted to talk about was and you were talking about it with business buy in and the value is part of it. But beyond just regulatory requirements or beyond just your attestation requires and your compliance obligations, whether they be legal.
Or to a client of yours from a data stewardship standpoint. What are some of the less obvious but significant benefits that organizations can gain from effectively leveraging ADR GRC tool?


Brandon Breslin  

Yeah. You know, that’s a great question. I would say operational efficiency probably #1, right? When you’re looking at not just data governance, I know that’s kind of the focus of this, but when you have all of your controls or requirements in one central location.
And you’re working with a team, maybe of different departments, maybe you’re a large organization and you’re working with different departments collecting evidence from different areas of the business before an audit comes up or maybe just throughout the year as an internal audit. When you have that flow, when you’re working with them continuously, you start to build that efficiency of.
OK, this department’s handling this and you know, maybe we could tweak this a little bit more. You know, maybe we should change our vulnerability management program to be a little bit running scans or pen tests more often, right? Or maybe patches, we could run those more often. As you start to gather a lot of these things and you’re reviewing the controls on a consistent basis, you start to see.
Opportunities for improvement for the organization. So I would say that’s more on the operational side. Transparency, accountability, right, if you’ve got again different people responsible for different areas of the business that you’re obtaining evidence or control validation from evidence from.
Or documentation from or you know, some type of conversation that has to be had to validate a control. You start to identify who’s in charge of what and then if somebody slips right, you have a tool that can manage that process. It also helps, you know something I would say that’s.
An indirect benefit or a less obvious benefit as well as just the culture of focusing more on compliance and cybersecurity, right? As an organization, we all know what’s the weakest part of Security in in an organization, the humans, right? The employees of the organization, so.
If you have everybody bought into virtually bought into this tool, then it starts to be more top of mind in the forefront. They start to care more about it, not just avoiding the anti-phishing links, right? You know, making sure that you’re actually focused on the controls.
And then another big one that I just thought of also maybe decision making too. If you’ve got, if you’ve got people that again are responsible for different areas and you want somebody to be in charge of that control, it gives, it gives them that autonomy, but it also gives you the understanding of who to go to directly and then if they need to change a process, you can you can get that decision from directly that person or that team.


Jordan Eisner  

Yeah, yeah, good stuff.
So you talked about efficiency and you even gave some examples. Go a step further on that. You know what are some even more practical or specific examples from an efficiency standpoint because everybody says that were GRC tools, right? But for our listeners, right, for our audience, what are, what are some specifics especially, I mean you do a lot of work in this.


Brandon Breslin  

OK.


Jordan Eisner  

And a lot of clients that are leveraging GRC tools, what are 2-3 things that that specifically stand on your mind from an efficiency capture standpoint?


Brandon Breslin  

I think everybody immediately jumps to audit preparation or being ready for an audit. That’s one big component and we can talk about that, right? It can save time in the in the evidence gathering process when you submit evidence for requests for an audit and all of that. But I think it’s more than that, right? It’s more of getting the organization on board with understanding what the controls are, what their responsibilities are, and making sure that they’re doing those day-to-day tasks or validation of controls that they’re responsible for on a continuous process, right? Security is a continuous process, it’s not a one time.
You know, it’s not a one-time, right? It’s it’s it’s continuous. That’s the reason why, you know, you’ll see most of the frameworks now are not they’re they’re more on a continuous basis. They’re not one time, even though some of them are still point in time. That’s more of an encouragement now to move or to shift that mindset to.
To, you know, frequency based controls, frequency based requirements. Because you want to avoid that situation where, oh, the auditor’s coming in, let’s let’s get all the evidence right. Let’s let’s make sure we’re doing everything. Let’s patch all of our systems. Let’s run some bone scans, let’s run pen test. We’re shifting away from that, right? We’ve never wanted it to be that way.

We want it to be organizations are keeping this as forefront. They’re keeping it top of mind. They’re continuously validating those controls and they’re making sure that they’re staying ahead of it. So that in the event of an audit, right, to kind of bring it back or tie a bow on it if you are in an audit.
There’s never any surprises, right? You you get into the audit. Oh yeah, we’ve had that evidence. We’ve been collecting that evidence for six months already internally, right? Or we’ve been, we’ve been running those patch reports every month and we save them in our in our tool. Here you go. Here’s the last 5-6 months of them, right. It’s it changes the mindset when you’re already ahead of the game.
Then it’s not a scramble to try to find certain pieces of evidence. And again, the I can’t stress this enough. The audit is just one element of or one piece of the puzzle, right? It’s it’s you making sure that the organization is understanding of the controls and making sure that they’re keeping them forefront. Top of mind is is the most.


Jordan Eisner  

Right.


Brandon Breslin  

Important.


Jordan Eisner  

So this this next question and you talked about it coming up again later and what we agreed to talk about in this podcast. I think you you answered it to a degree here too, maybe conceptually or maybe in product, but I was going to ask from from an otter’s perspective.
What makes implementation of a GRC tool stand out to you as having been effective and reliable for demonstrating compliance? Now you just talked about avoiding the hamster wheel. It’s not a fire drill and ducks in a row, basically. I I think that’s that’s probably part of what you can see when they’re prepared and they’re ready and it’s efficient, but.


Brandon Breslin  

Yeah.


Jordan Eisner  

You know, what are some other answers or considerations that stand out to you beyond just that when you say, oh, that’s because they implemented it right or they train their team properly on how to leverage it or they’re using it for decision-making processes?


Brandon Breslin  

Yeah.
Yeah, it’s a great question. You know, I guess we haven’t really touched on accuracy or completeness of data, right. I think that’s a critical factor. So again, you’re not scrambling, you’re not trying to pull information last minute. You’ve got, you have those month, month over month recurrence, you know, control validation evidence or you’ve got, you have the audit trails and the version control to show that you’ve been in compliance for for that full year or that quarter or month, whatever control you’re looking at. We also just haven’t even talked about the fact that it’s a centralized repository from from, you know, from our perspective we’re we’re running an assessment and audit and we’re we’re speaking with our clients, we’re working in that tool together, right. That’s a collaborative tool. It’s a central evidence repository where it’s easy to get a lot of that information. It makes the audit process streamlined, makes it a lot easier from the client’s perspective, right? The organization that’s being assessed, the entity being assessed, they have one location to pull all that information from and to house it and they have can see all the requirements that overlap to the other frameworks, so.
Let’s say they’re doing a HITRUST assessment and they’ve got a SOC 2 audit coming down the pipe, right. They can store that evidence in the GRC tool and then they’re already getting prepared for the SOC 2 audit while they’re completing their HITRUST assessment. So it’s that, you know, it’s that efficiency game that I I think is is game changer, but it’s also the.
The central repository, you know, having the audit trails, having the ease of reporting, you know, having integration with underlying systems. We haven’t talked about that. You know, there’s so many, there’s APIs out there now that integrate that can pull evidence directly from.


Jordan Eisner 

Yeah.


Brandon Breslin  

You know, for example, the big three, AWS, Azure, GCP, right? You could have an API integrated to pull a lot of that evidence, you know, from each of those instances that you’ve got or those environments that you’ve got to be able to to make the audit process easier.
It just makes it much smoother. It makes it makes the the walkthroughs go quicker, observations, interviews go quicker because you can pull all that evidence. You’re already ready to go there. The benefits are are definitely, you know, are definitely there.


Jordan Eisner  

Yeah, one such integration field guy, right? And I know we love a shared guy. It’s our part of our audit team.


Brandon Breslin  

Yeah.
That’s the tool.
Exactly. So we use that tool that you know there’s API integrations already built with with you know for example the cloud environments, but also other GRC tools. Let’s say we’re working with a client that’s using Drada or Vanta, there is already an API integration.


Jordan Eisner  

Yeah.


Brandon Breslin  

Set up with Field Guide to where we can get the evidence directly from their own GRC tool so that we can run the assessment and automate a lot of those pieces need to. It’s it’s huge, yeah.


Jordan Eisner  

Yeah, yeah, powerful. It’s powerful stuff.
Yeah, all right, here’s where that, uh, two letter acronym.
Comes in, right, that everybody’s talking about. So that’s going to be one. I would ask you to start with anything beyond that or or before that and maybe there isn’t, but what what emerging trends or technologies do you see that are going to impact the future of GRC tools like you said?
They’re constantly changing, evolving, emerging. What’s going to affect that and their role in compliance?


Brandon Breslin  

Yeah, you know, if we want to talk about AI specifically that that two letter acronym, right, I think it goes a little bit further than that. If we look at kind of the iterations now of the different models that are out there earlier this year because it’s that space is moving so fast.
Earlier this year, AI workflows were starting to be built into most common large-scale GRC platforms. We’ve now passed, we’re now past that, right? We’re in the Agentic AI realm now. We’re already seeing, you know, Agentic AI, you know, solutions being deployed.
Our models being deployed to each of the common platforms out there that can automate both sides, right? The assessor and the assessed entity to pull evidence to to start to generate a lot of the documentation to start to anticipate.
What requests are coming down based on schedules and things like that. So I would say it takes it a step further than just the workflows, which are, you know, consistent processes that are built out on a recurring basis, right? The the Agentik AI takes it to another level.


Jordan Eisner  

Oh, you go.
All right. That’s about all I wanted to cover. So you had anything else? I think that’s a that’s a good punch.


Brandon Breslin  

I love it. Love it.


Jordan Eisner  

Um, I’ll leave our audience with this. You know if.
If you know you were interested in these topics, you’re considering GRC tool or any of these compliance frameworks we reference are on your road map or part of your annual attestation compliance process and you’d be interested in the value and the expertise somebody like Brandon or his team could.
Bring Give us a call, you know, reach out to us. You can Connect with us compliancepoint.com. You can e-mail us directly at connect@compliancepoint.com. We take inquiries from anywhere on that, not just clients and we’ll be interested in your questions and and how maybe we could help.
And this isn’t the only area we serve. We have a whole cybersecurity function dedicated to that side of security. We also work in data privacy and other regulatory compliance areas that don’t have, you know, maybe annual attestations or certification. So if it’s data and there’s risk tied to it and how you protect it, secure it, limit it.
Disclose it, you know, keep it confidential. We can probably help with it, went through assessments or advisory services and we’d love to do that for you. So Brandon, I’m sure I’ll talk to you at work very soon, probably on a podcast in the next couple of weeks.


Brandon Breslin  

Absolutely. And I and I will also say as we’re wrapping up, you know if you’re an organization that is exploring, you’ve already had the conversation with your executive management and you you have determined that as a company you’re going to go forward with the selection process of a tool.
Take your time, right. It’s a, it’s a big decision. It’s expensive, but it’s worth it from our experience that we’ve seen if if done right, you know, make sure you’re getting that approval from senior leadership, making sure that you’re involving who the different departments of who’s responsible for governance or who’s in charge of.
You know, critical systems and controls within the environment to make sure that you are evaluating and selecting the correct tool for your organization. There’s so many out there, so don’t just fall for the latest ad, right? Really get get into the nitty-gritty and decide which tool is best for your organization specifically.
Typically.


Jordan Eisner  

Yep. Well said. All right, Brandon, thank you. To our listeners and watchers, be well. We’ll catch you next time.


Brandon Breslin  

Yeah.
Thanks, Jordan.


Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.