Case Study

How DigiCert Found a Better Way to Manage Compliance at Scale

DigiCert

Frameworks

ISO 27001

//

SOC 2 Type 2

DigiCert Inc. is a US-based technology company focused on digital security and headquartered in Lehi, Utah with international offices in Australia, Ireland, Japan, South Africa, Switzerland, and the United Kingdom. As a certificate authority (CA) and trusted third party, DigiCert provides the public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates. These certificates are used to verify and authenticate the identities of organizations and domains and to protect the privacy and data integrity of users’ digital interactions with web browsers, email clients, documents, software programs, apps, networks, and connected IoT devices.

Compliance Frameworks:

  • WebTrust CA
  • WebTrust EV SSL
  • WebTrust EV CS
  • WebTrust Publicly Trusted CS
  • WebTrust BR
  • NIST 800-53
  • SOC2
  • ETSI
  • PCI-DSS
  • PCI-PIN

Quick Facts: Technology, Digital Security // Lehi, Utah

The Challenge

A need to scale with a complex program

DigiCert has a unique role as a certificate authority and is highly visible in the security space. As a result, their senior leadership team considers compliance a critical function of the company, and their program is complex. “As the global leader for digital certificates used on the web, enterprise security and the IoT, DigiCert commits significant resources for compliance to uphold our commitment to the public trust,” says Aaron Poulsen, Director of Product Security and Compliance at DigiCert. “With evidence serving as definitive judgment for auditors on the efficacy of our organization’s controls, we strive to improve our ability to manage its collection and application.”

DigiCert must meet a variety of different compliance standards, like SOC2, WebTrust, NIST 800-53, PCI, and more. Additionally, they are required to pass audits at any time for framework and adhere to the policies and requirements dictated by web browsers like Mozilla and Google.

Their compliance software was not meeting their needs

Given the breadth and depth of DigiCert’s compliance programs, their security and compliance team needed to improve internal processes and gain efficiencies for ad-hoc external audits. DigiCert was using a cloud-based compliance software that wasn’t meeting their key need: effective management of the large quantity of evidence files necessary to satisfy audit requirements. Managing the high volume of evidence files — each of which must be linked to a specific requirement, internal control, and labeled for auditors — was especially tedious and time-consuming.

Quote Sign
We were looking for something easy to use. You don’t want to be mired in processes and ceremony before you get the tool to a state where it’s usable

Aaron Poulsen

Director of Product Security and Compliance // DigiCert

“We were looking for something easy to use. You don’t want to be mired in processes and ceremony before you get the tool to a state where it’s usable,” says Poulsen. “With our previous GRC tool, it was complex to set up, complex to scale with additional resources, and once set up, ultimately didn’t work as expected.”

“An effective tool is one that will take what you have today in the form of existing controls and evidence, so you can begin iterating on your compliance program. If you have to start all over again — where the tool becomes the beginning of your program — that’s counterproductive. We wanted an application that can ingest our data in a short amount of time, at any stage of our program’s maturity, so we could start managing compliance tasks effectively.”

Difficulty keeping records for audits

In addition to the difficulty of organizing evidence, another factor that made audits so time-consuming came down to record-keeping: DigiCert didn’t have a consistent solution for documenting information that would help their team prepare for future audits. “With year-over-year audits, it’s easy to fall into the trap of starting all over again: interviewing the same set of people, requesting the same evidence, and generally duplicating effort,” says Poulsen.

The team needed a tool that would give them the ability to:

  • Quickly gather evidence for external audits,
  • Gauge the effectiveness of their internal controls
  • Provide real-time feedback about their audit preparedness and controls evaluation efforts

The Solution

Ease-of-use and pilot testing

When Poulsen was first introduced to Hyperproof, he was open to a new solution, considering so many of DigiCerts needs went unmet with their current solution.

Quote Sign
We chose to partner with Hyperproof because it’s a solution that directly addresses a persistent issue we face — efficient collection and management of evidence required to meet auditor requests.

Aaron Poulsen

Director of Product Security and Compliance // DigiCert

Poulsen decided to trial Hyperproof’s compliance software through a 4-week, structured proof-of-concept (POC). His goal was to evaluate whether this tool could provide a much more efficient way of managing the evidence needed to prove compliance compared to his current tool. During this pilot, DigiCert imported their own data into Hyperproof and ran two of their programs in the tool: WebTrust for CA and SOC2.

Seamless and easy evidence collection

In a short amount of time, Poulsen saw meaningful results. “Hyperproof is providing a solution that makes evidence management much easier,” says Poulson. “I’m able to upload existing artifacts using an intuitive interface and immediately begin working them into our review process. The time-to-value with this tool is immediate,” says Poulsen.

Jon Thornton, an Information Security Analyst on the Global Security Operations Team, echoed Poulsen’s perspective when talking about the product’s benefits: “I manage three IT compliance programs/audits for DigiCert. Hyperproof allows me to map one piece of evidence to two or more separate controls and programs so I don’t have to pull the same piece of evidence again and again for each audit. It’s also helpful to see the overlap between programs — how one piece of proof can be reused across multiple programs.”

Thornton is happy about the amount of time he saves and re-allocates to other equally important projects: “Across the three audits I am responsible for, I save at least 80 hours of my personal time by using Hyperproof,” he says. “I can use this time to work on other high impact projects, such as updating existing policies and evaluating new security software.”

Quote Sign
With Hyperproof, we finally know where we stand with an audit.

Aaron Poulsen

Director of Product Security and Compliance // DigiCert

Seamless audit preparation

With Hyperproof acting as the single source of truth for all compliance data at DigiCert, their compliance team is more confident that they’re tackling the right things to reduce risk. DigiCert’s compliance team no longer needs to spend time on the repetitive administrative tasks when preparing for external audits, and they can focus their attention on other strategic items, including identifying what controls are in place and closing any gaps well ahead of an auditor’s visit.

Reporting and dashboards

“Hyperproof will also allow us to manage evidence files and controls across multiple programs, linking to multiple requirements, and all the time providing us real-time visibility into our readiness through the use of dashboards, freshness metrics, and potential gaps that will feed into our team’s operational workflow,” says Poulsen. “We know how soon something needs to be reviewed and refreshed. When you’re managing many different programs, frameworks, and standards, having a holistic view of where you stand is no longer an optional output of the compliance function — it’s an expectation. Hyperproof is helping us meet that expectation.”

Retained records of past audits to prepare for future audits

Hyperproof’s system-of-record capability reduces DigiCert’s duplicative work around audit management. “With Hyperproof, I have a detailed trail of all former audits, both internal and external,” says Poulsen. Capturing metadata with each evidence file helps new employees on DigiCert’s team (or simply someone new to a particular audit) have an immediate impact on preparation activities. Poulsen says, “They know where we source artifacts, when we last did it, and from whom. Hyperproof reduces the amount of time and confusion that comes with aggregating information to something almost trivial in the audit process.”

Quote Sign
Preparing for upcoming audits using Hyperproof’s capabilities to continuously manage our compliance program is an enormous benefit.

Aaron Poulsen

Director of Product Security and Compliance // DigiCert

Poulsen also states, “Hyperproof is dispensing with much of the administrative overhead necessary to begin providing metrics and valuable insight into our audit readiness – more of my time is freed up to work on strategic tasks aimed at improving the security and compliance posture of the organization. This time savings is a big deal because it allows us to more effectively scale with existing resources.”

Results

  • A seamless tool that helps speed up evidence collection and management processes
  • 80 hours of time saved a month for DigiCert’s compliance team
  • A holistic view into DigiCert’s audit readiness
  • Effective framework management that allows DigiCert to scale their compliance program
  • Standardized operations so the compliance team is closer to a state of continuous assessment and review of their programs

Download Case Study