Image Aaron Poulsen, Director of Product Security and Compliance
Image

As the global leader for digital certificates used on the web, enterprise security and the IoT, DigiCert commits significant resources toward compliance to uphold our commitment to the public trust. With evidence serving as definitive judgment for auditors on the efficacy of our organization's controls, we always look to improve how we manage its collection and application. Hyperproof is improving our ability to effectively manage our evidence and gain real-time visibility into our audit preparedness.”

Aaron Poulsen
Director of Product Security and Compliance, DigiCert

Image
Image

Top Challenges

  • Keeping up with compliance and audit requirements

  • Manual, inefficient compliance and audit processes

  • Existing compliance management tool did not scale well internally and was not intuitive to use

Image

Why DigiCert chose Hyperproof

  • To eliminate manual, administrative work associated with preparing for various audits

  • To surface any gaps within DigiCert’s internal control environment and quickly identify its level of audit preparedness

  • To standardize operations and maximize the compliance team’s ability to manage its role within the organization as it moves closer to a state of continuous assessment and review

IT Compliance Programs

WebTrust CA
WebTrust EV SSL
WebTrust EV CS
WebTrust Publicly Trusted CS
WebTrust BR
NIST 800-53
SOC2
ETSI
PCI-DSS
PCI-PIN

Stakeholders Involved in Compliance

  • Full-Time Compliance Staff

  • Control Owners

  • Contributors and Reviewers

Background

DigiCert, Inc. is the world’s leading provider of TLS/SSL, IoT and PKI solutions, headquartered in Lehi, Utah with several international offices including in Australia, Ireland, Japan, South Africa, Switzerland, and the United Kingdom. As a certificate authority (CA) and trusted third party, DigiCert provides the public key infrastructure (PKI) and validation required for issuing many types of digital certificates, including TLS certificates. These certificates are used to verify and authenticate the identities of organizations and domains and to protect the privacy and data integrity of users’ digital interactions with web browsers, email clients, documents, software programs, apps, networks, and connected IoT devices. The company also provides certificate management software platforms to help companies properly deploy certificates across their systems.

The Search: “We Need a Better Way to Manage Our Compliance Programs at Scale”

Because of DigiCert’s unique role as a certificate authority and its visibility in the security space, compliance is considered a critical function of the company by senior leadership. For DigiCert, compliance covers a broad set of requirements: the organization must meet a variety of different compliance standards — including SOC2, WebTrust, NIST 800-53, and PCI — pass audits for each, and adhere to the policies and requirements dictated by web browsers such as Mozilla and Google.

Given the breadth and depth of DigiCert’s compliance programs, the security and compliance team was looking for methods to improve internal processes and gain efficiencies with external audits they were managing at any given time. Managing the high volume of evidence files — each of which must be linked to a specific requirement and internal control, and also be labeled for auditors — was especially tedious and time consuming.

The team needed a tool that would give them the ability to quickly gather evidence needed for external audits, gauge the effectiveness of their internal controls, and provide real-time feedback about their audit preparedness and controls evaluation efforts.

When Aaron Poulsen, DigiCert’s Director of Product Security and Compliance, was first introduced to Hyperproof, he and his team were using an existing cloud-based compliance software; however, he was open to something new because the existing tool was not meeting the key need: effective management of the large quantity of evidence files necessary to satisfy audit requirements.

“We chose to partner with Hyperproof because they proposed a solution that directly addresses a persistent issue we face—namely, the efficient collection and management of evidence required to meet auditor requests,” says Poulsen.

Implementation

Poulsen decided to trial Hyperproof’s compliance software through a four-week, structured proof-of-concept (POC). His goal was to evaluate whether this tool could provide a much more efficient way of managing the evidence needed to prove compliance compared to his current tool.

Jon Thornton, an Information Security Analyst on the Global Security Operations Team, was also heavily involved in testing Hyperproof during the POC.

During this pilot, DigiCert imported their own data into Hyperproof and ran two of their programs in the tool.

Key Benefits

Image

Ease of Gathering Evidence

In just a short amount of time, Poulsen has started to see meaningful results.

“Hyperproof is providing a solution that makes evidence management much easier. I’m able to upload existing artifacts using an intuitive interface and immediately begin working them into our review process. The time to value with this tool is immediate,” says Poulsen.

Jon Thornton, who manages several IT audits on behalf of the company, echoed Poulsen’s perspective when talking about the product’s benefits.

“I manage three IT compliance programs/audits for DigiCert. Hyperproof allows me to map one piece of evidence to two or more separate controls and programs, so I don’t have to pull the same piece of evidence again and again for each audit. It’s also helpful to see the overlap between programs, how one piece of proof can be reused across multiple programs.”

Thornton is happy about the amount of time he will be able to save and re-allocate to other projects: “Across the three audits I am responsible for, I can probably save at least 80 hours of my personal time by using Hyperproof. I can use this time to work on other high-impact projects, such as updating existing policies and evaluating new security software,” says Thornton.

Image

Retained records of past audits to prepare for future audits

In addition to the difficulty of organizing evidence, another factor that made audits so time-consuming came down to record-keeping: DigiCert didn’t have a consistent solution for documenting information that would help their team prepare for future audits.

“With year-over-year audits, it’s easy to fall in the trap of starting all over again: interviewing the same set of people, requesting the same evidence, and generally duplicating effort,” says Poulsen.

With Hyperproof’s system-of-record capability, duplicative work will be reduced.

“Hyperproof is dispensing with much of the administrative overhead necessary to begin providing metrics and valuable insight into our audit readiness – more of my time will be freed to work on strategic tasks aimed at improving the security and compliance posture of the organization. This time saving is a big deal because it allows us to more effectively scale with existing resources.”

Image

“We will have a better understanding of our audit preparedness”

With Hyperproof acting as the single source of truth for all compliance data at DigiCert, the compliance team can be more confident that they're tackling the right things to reduce the organization’s level of risk overall.

Because the compliance team will no longer need to spend as much time on the repetitive, administrative tasks related to preparing for external audits, they can focus their attention on other strategic items within the compliance function.

“With Hyperproof, I will have a detailed trail of all former audits, both internal and external. Preparing for upcoming audits using the tool’s capabilities to continuously manage our compliance program is an enormous benefit. Capturing metadata with each evidence file will allow a new employee on my team (or simply someone new to a particular audit) to have an immediate impact on preparation activities — they will know where we sourced artifacts, when we last did it, and from whom. It will reduce the amount of time and confusion that comes with aggregating information to something almost trivial in the audit process,” says Poulsen.

“Hyperproof will also allow us to manage evidence files and controls across multiple programs, linking to multiple requirements, and all the time providing us real-time visibility into our readiness through the use of dashboards, freshness metrics, and potential gaps that will feed into our team’s operational workflow. We’ll know, and be alerted to, how soon something needs to be reviewed and refreshed. When you’re managing a multitude of programs, frameworks, and standards, having a holistic view of where you stand is no longer an optional output of the compliance function, it’s an expectation. Hyperproof is helping us meet that expectation.”

Advice on Evaluating Compliance Software

“Look for something that’s easy to use. You don’t want to be mired in processes and ceremony before you get the tool to a state where it’s usable,” says Poulsen. “With our previous GRC tool, it was complex to set up, complex to scale with additional resources, and once set up, ultimately didn’t work as expected.”

“An effective tool is one that will take what you have today in the form of existing controls and evidence, so you can begin iterating on your compliance program. If you have to start all over again — where the tool becomes the beginning of your program — that’s counterproductive. You want an application that can ingest your data in a short amount of time, at any stage of your program’s maturity, so you can start managing compliance tasks effectively.”

Image

See Hyperproof in Action

Schedule a personal demo with one of our salespeople to see how Hyperproof will streamline your compliance operations and ensure you're always audit ready.
Book a Demo