SecuriTea Time Ep 3 | Compliance Beyond the Checkbox: A Fresh Perspective on Auditors and Risk

Hey there, everyone! Welcome to another exciting episode of our SecuriTea Time podcast.

Today, we have the pleasure of hosting Beau Butaud, the Risk and Compliance Manager at Moss Adams, a seasoned pro with five years of experience in the risk and compliance realm.

Now, SecuriTea time is all about diving into the captivating tales of folks in the world of risk and compliance. We've got people from diverse backgrounds, and let me tell you, uncovering their stories is not just a blast but incredibly insightful too!

It's not every day that we get the chance to chat with an auditor and get the inside scoop on their world. So, let's sip some tea and get ready for a conversation that's as refreshing as it is enlightening.

You can listen to the complete podcast here.

https://youtu.be/JqW0-i4q4ac

Now, let's jump straight into this exciting episode of SecuriTea Time.

Nicholas Muy: So let's get started! Give us a little background on how you got into the illustrious space of the IT auditor.

Beau Butaud: I pursued accounting in college primarily as a means to secure employment, and it proved successful when I landed a job at a local Seattle accounting firm specializing in financial statement audits. I found this work appealing and continued for a year or two.

However, an opportunity arose within the same firm to join their newly formed Risk team, which focused on technology-related audits. Given the rapid growth of the tech industry compared to the more stable financial clients of an accounting firm, I saw this as a promising opportunity.

After trying it out, I discovered that I enjoyed auditing technology even more than financials. It made more intuitive sense to me. While financial statement audits often involve abstract principles, IT security audits centered around the practical goal of ensuring safety. This shift occurred approximately five to six years ago, and I've been engaged in this field ever since, finding it highly enjoyable.

Nicholas Muy: Shifting from financial auditing to IT risk compliance must have felt refreshing for you. Those of us in security compliance sometimes feel like things have been stagnant, but that might be because we haven't dealt with GAAP (Generally Accepted Accounting Principles), right?

Beau Butaud: Absolutely, it's worth considering. While I may not work extensively with tax rules, it could be valuable to conduct an objective comparison between the complexities of GAAP (Generally Accepted Accounting Principles) and a framework like NIST (National Institute of Standards and Technology). Such a report could shed light on which domain faces greater challenges.

Nicholas Muy: In your view, are there aspects within the IT risk compliance space that people should approach differently or where room for improvement exists?

Beau Butaud: Absolutely, yes. One of the major challenges and common complaints revolves around the tendency to treat compliance reports, such as the ones I work on, as mere checkboxes. The crucial point to remember is that these reports represent a person making claims about various systems and processes, while auditors come in to verify those claims. Simply possessing a SOC 2 report, for instance, doesn't inherently signify much.

What truly matters is understanding why you are obtaining a compliance report in the first place and whether the tests conducted against those claims align with your intended purpose. To make significant improvements in compliance programs, it's vital to start by clearly defining your objectives, establishing the scope of the report being audited, and consistently adhering to these principles throughout the process. While it may not be straightforward, continually asking "why" is one of the most crucial steps toward improvement.

Nicholas Muy: Many people often follow the crowd without fully grasping the purpose or benefits, merely doing so because it seems expected. While a few understand the reasons behind compliance reports, others question their relevance to the business. What's your perspective on this issue with compliance reports?

Beau Butaud: In recent months, I've been in discussions with various clients, and one common topic of conversation revolves around how they perceive the reports we provide. Typically, we inquire about this at the start or end of the audit process.

The responses we receive can be quite intriguing. Some clients express a desire to understand why they receive a particular report, leading to valuable discussions about its necessity and potential need for customization.

As you mentioned, people often hear from others that they require specific reports, like SOC 2 or ISO 27001, and they proceed to obtain them without questioning their suitability. However, during recent client interviews, I discovered instances where vendors or prospective customers initially requested these reports but were open to alternative approaches. It's possible to push back and propose alternatives that might better align with their needs.

In many cases, companies are eager to satisfy prospects' requests without fully considering whether these reports are genuinely essential. Taking a step back and asking what the prospect truly needs can lead to more efficient scoping and tailored reporting. This approach ensures that if a SOC report is indeed required, it serves the specific needs and requirements accurately.

Nicholas Muy: You've clearly been in this field for over five years, and I'm curious to know what keeps you engaged. Your LinkedIn headline, "SOC 2 that slaps," caught my attention, and it's one of the reasons I wanted to chat with you. Could you share more about that?

Beau Butaud: Indeed, it's a great question. I've found that having an engaging LinkedIn headline does help filter out the random messages. I'm often surprised when people respond to my messages, but it's reassuring to know that the headline plays a role in that.

As for my career choices, I share your sentiment about avoiding tasks that are merely checkbox exercises. I've contemplated shifting to building a product because I prefer endeavors where someone truly sees the value. What's kept me in my current role is the opportunity to continually learn and grow.

I work with a variety of small to midsize companies, which means I'm not confined to a few clients all year. Instead, I switch to a new project approximately every other week. This rotation allows me to gain a high-level understanding of different businesses, their data protection practices, and various operational aspects, which I find incredibly fulfilling.

Additionally, as an auditor, I must grasp the technology I'm testing, and I strive to have a solid foundational understanding of it. This means staying updated on evolving technologies like containers and understanding the associated risks. I enjoy diving into these areas and continuously expanding my knowledge. So, in essence, it's the constant learning and diversity of experiences that keep me engaged in my role.

Nicholas Muy: With technology evolving constantly, have you noticed any recent changes in how companies use technology that require auditors to adapt or think differently?

Beau Butaud: A few examples come to mind, and while this one isn't current but spans the last decade, it relates to change management controls. The approach has evolved significantly, especially for companies embracing modern tech stacks and agile processes. While some companies still follow a waterfall approach, many are transitioning to agile methodologies, allowing them to deploy changes frequently to production.

In the past, the security approach revolved around granting developers access to source code repositories and, eventually, providing access to production servers for deployment teams, including DevOps. Auditors found it relatively simple to ask whether developers had access to production servers.

Now, we're witnessing this shift firsthand. Unlike before, when we relied on lists, it's become more integrated into the tools and workflows. For instance, a developer might have the capability to build and push something into production on the same day, as long as it undergoes the appropriate review, testing, or gets processed through a build pipeline.

This shift has prompted us to reevaluate what we consider crucial between development and deployment. The specific criteria vary depending on the product, making it an interesting challenge. Another intriguing aspect is the potential impact of AI on audits, although it hasn't significantly influenced current audit practices. It's a space I'm keeping an eye on to see how it unfolds.

Nicholas Muy: Nowadays, many companies opt for continuous deployment due to the pressure to release changes rapidly. What changes would you, as an auditor, wish to see in the next few years?

Beau Butaud: My top wish would be for companies to take more ownership of their compliance program. Often, the default is to shift this responsibility to the auditor, which happens for various reasons. Auditors are seen as experts in the compliance framework, and the company is typically the one paying for the audit, creating a natural client-service relationship.

However, I believe companies should play a more active role. This involves identifying why they need the report, letting that shape the project scope and system boundaries, determining who the end users are, developing a control framework based on these insights, and assigning control owners while holding them accountable. This proactive approach would significantly simplify the audit process.

On the auditor's side, we should avoid pushing too much into this role and encourage clients to take the lead. We should ask open-ended questions about their controls and allow them to struggle if necessary, respecting their independence and recognizing that we can't build their system better than they can.

In essence, my wish is for companies to develop a clear point of view and take ownership of their compliance program.

Nicholas Muy: How do you approach working with control owners or stakeholders in a way that fosters understanding and collaboration, rather than immediately diving into compliance-related questions?

Beau Butaud: We sometimes tend to bombard control owners with questions right away. Instead, it would be more effective to begin by understanding their primary role within the company. Then, we can gradually connect that to the compliance framework or testing requirements. This approach not only makes people feel valued but also helps us ask the right questions to the right individuals, rather than putting them on the defensive from the start.

Nicholas Muy: Can you share an example of how your experience with risk assessment tools and platforms has helped improve compliance and security processes within your organization? Specifically, how have you balanced automation with the need for human insight in this context?

Beau Butaud: So, it seems like a good example is using tools to improve the risk assessment process. It starts with interviews with core business owners to understand their concerns. From there, you create a business impact analysis to identify key risks. This information should form the basis of a risk assessment and a risk register. Tools and platforms can facilitate this process, but it's essential not to rely solely on automation.

Nicholas Muy: You've highlighted the resource constraints many organizations face when it comes to risk assessment. Given these limitations, would you say that focusing on understanding and aligning with the specific concerns of the business is not only more efficient but also more effective in prioritizing and managing risks?

Beau Butaud: Absolutely, Nicholas. It's about making the most of the resources we have and ensuring our efforts are aligned with what truly matters to the business in terms of risk management. This approach helps us prioritize effectively.

Nicholas Muy: Beau, you mentioned your experience with a client attempting a unified control framework. Can you elaborate on the challenges they faced when trying to implement and maintain it effectively? How do you think they could have done it differently to achieve the desired simplification?

Beau Butaud: A few years ago, I came across the idea of mapping SOC controls to various other frameworks, and it sounded quite promising. I thought, "This could save a lot of effort for companies if they did it right." However, my optimism faded when I encountered my first client attempting a unified control framework. This particular client didn't invest the necessary time and effort to maintain it effectively. Instead of making things simpler, it turned into a complex mess with square pegs in round holes. In the end, it became more work than conducting separate audits and collaborating with different teams.

Nicholas Muy: Absolutely. It takes time, continuity, and leadership support, whether from a GRC or security leader, to implement such changes. This is especially vital in highly regulated industries like health tech, fintech, or insurance tech. Insurance companies, in particular, tend to be cautious about their vendors.

Effective communication, whether through platforms like Slack or understanding peers' needs before discussing controls, is essential. I appreciate your presence today, Beau, and your willingness to share your story and insights. Hopefully, someone who can make a difference is listening. Thank you for the conversation.

And that's a wrap on this episode's key moments! Stay tuned for highlights from our next episode, as we delve into the realms of cybersecurity and compliance once more!