As the global leader for digital certificates used on the web, enterprise security and the IoT, DigiCert commits significant resources toward compliance to uphold our commitment to the public trust. With evidence serving as definitive judgment for auditors on the efficacy of our organization's controls, we always look to improve how we manage its collection and application. Hyperproof is improving our ability to effectively manage our evidence and gain real-time visibility into our audit preparedness.”
Director of Product Security and Compliance, DigiCert
Keeping up with compliance and audit requirements
Manual, inefficient compliance and audit processes
Existing compliance management tool did not scale well internally and was not intuitive to use
Why DigiCert chose Hyperproof
To eliminate manual, administrative work associated with preparing for various audits
To surface any gaps within DigiCert’s internal control environment and quickly identify its level of audit preparedness
To standardize operations and maximize the compliance team’s ability to manage its role within the organization as it moves closer to a state of continuous assessment and review
The Search: “We Need a Better Way to Manage Our Compliance Programs at Scale”
Because of DigiCert’s unique role as a certificate authority and its visibility in the security space, compliance is considered a critical function of the company by senior leadership. For DigiCert, compliance covers a broad set of requirements: the organization must meet a variety of different compliance standards — including SOC2, WebTrust, NIST 800-53, and PCI — pass audits for each, and adhere to the policies and requirements dictated by web browsers such as Mozilla and Google.
Given the breadth and depth of DigiCert’s compliance programs, the security and compliance team was looking for methods to improve internal processes and gain efficiencies with external audits they were managing at any given time. Managing the high volume of evidence files — each of which must be linked to a specific requirement and internal control, and also be labeled for auditors — was especially tedious and time consuming.
The team needed a tool that would give them the ability to quickly gather evidence needed for external audits, gauge the effectiveness of their internal controls, and provide real-time feedback about their audit preparedness and controls evaluation efforts.
When Aaron Poulsen, DigiCert’s Director of Product Security and Compliance, was first introduced to Hyperproof, he and his team were using an existing cloud-based compliance software; however, he was open to something new because the existing tool was not meeting the key need: effective management of the large quantity of evidence files necessary to satisfy audit requirements.
“We chose to partner with Hyperproof because they proposed a solution that directly addresses a persistent issue we face—namely, the efficient collection and management of evidence required to meet auditor requests,” says Poulsen.
Poulsen decided to trial Hyperproof’s compliance software through a four-week, structured proof-of-concept (POC). His goal was to evaluate whether this tool could provide a much more efficient way of managing the evidence needed to prove compliance compared to his current tool.
Jon Thornton, an Information Security Analyst on the Global Security Operations Team, was also heavily involved in testing Hyperproof during the POC.
During this pilot, DigiCert imported their own data into Hyperproof and ran two of their programs in the tool.
Ease of Gathering Evidence
In just a short amount of time, Poulsen has started to see meaningful results.
“Hyperproof is providing a solution that makes evidence management much easier. I’m able to upload existing artifacts using an intuitive interface and immediately begin working them into our review process. The time to value with this tool is immediate,” says Poulsen.
Jon Thornton, who manages several IT audits on behalf of the company, echoed Poulsen’s perspective when talking about the product’s benefits.
“I manage three IT compliance programs/audits for DigiCert. Hyperproof allows me to map one piece of evidence to two or more separate controls and programs, so I don’t have to pull the same piece of evidence again and again for each audit. It’s also helpful to see the overlap between programs, how one piece of proof can be reused across multiple programs.”
Thornton is happy about the amount of time he will be able to save and re-allocate to other projects: “Across the three audits I am responsible for, I can probably save at least 80 hours of my personal time by using Hyperproof. I can use this time to work on other high-impact projects, such as updating existing policies and evaluating new security software,” says Thornton.
Retained records of past audits to prepare for future audits
In addition to the difficulty of organizing evidence, another factor that made audits so time-consuming came down to record-keeping: DigiCert didn’t have a consistent solution for documenting information that would help their team prepare for future audits.
“With year-over-year audits, it’s easy to fall in the trap of starting all over again: interviewing the same set of people, requesting the same evidence, and generally duplicating effort,” says Poulsen.
With Hyperproof’s system-of-record capability, duplicative work will be reduced.
“Hyperproof is dispensing with much of the administrative overhead necessary to begin providing metrics and valuable insight into our audit readiness – more of my time will be freed to work on strategic tasks aimed at improving the security and compliance posture of the organization. This time saving is a big deal because it allows us to more effectively scale with existing resources.”
“We will have a better understanding of our audit preparedness”
With Hyperproof acting as the single source of truth for all compliance data at DigiCert, the compliance team can be more confident that they're tackling the right things to reduce the organization’s level of risk overall.
Because the compliance team will no longer need to spend as much time on the repetitive, administrative tasks related to preparing for external audits, they can focus their attention on other strategic items within the compliance function.
“With Hyperproof, I will have a detailed trail of all former audits, both internal and external. Preparing for upcoming audits using the tool’s capabilities to continuously manage our compliance program is an enormous benefit. Capturing metadata with each evidence file will allow a new employee on my team (or simply someone new to a particular audit) to have an immediate impact on preparation activities — they will know where we sourced artifacts, when we last did it, and from whom. It will reduce the amount of time and confusion that comes with aggregating information to something almost trivial in the audit process,” says Poulsen.
“Hyperproof will also allow us to manage evidence files and controls across multiple programs, linking to multiple requirements, and all the time providing us real-time visibility into our readiness through the use of dashboards, freshness metrics, and potential gaps that will feed into our team’s operational workflow. We’ll know, and be alerted to, how soon something needs to be reviewed and refreshed. When you’re managing a multitude of programs, frameworks, and standards, having a holistic view of where you stand is no longer an optional output of the compliance function, it’s an expectation. Hyperproof is helping us meet that expectation.”
Advice on Evaluating Compliance Software
“Look for something that’s easy to use. You don’t want to be mired in processes and ceremony before you get the tool to a state where it’s usable,” says Poulsen. “With our previous GRC tool, it was complex to set up, complex to scale with additional resources, and once set up, ultimately didn’t work as expected.”
“An effective tool is one that will take what you have today in the form of existing controls and evidence, so you can begin iterating on your compliance program. If you have to start all over again — where the tool becomes the beginning of your program — that’s counterproductive. You want an application that can ingest your data in a short amount of time, at any stage of your program’s maturity, so you can start managing compliance tasks effectively.”