I’ve talked about governance and maturity models before in regards to cybersecurity. The complicating factor is that companies with little process maturity are flung into the world of standards and auditors.
For example, I was not initially part of the process team when the former seat-of-the-pants Printrak had to play CMM catch up with our new corporate overlord Motorola. But it was a bruising experience.
These days you have a lot of startups, not owned by multinationals, that are required by large customers and governments to comply with some standard or another. Winging it is not an option; winging it is failure. Or, in process-speak, winging it can result in a high statistical probability of a large number of adverse findings.
Vanta wants to help.
Its early April “Guide to working with auditors: Best practices for startups” contains several suggestions.
- One is to engage with auditors early so that you become familiar with each other.
- However, you should NOT give auditors access to your data early. Wait until you are ready. Assuming your data is in a Vanta instance:
“If you’re still finalizing controls in Vanta, granting early access could cause confusion. However, some firms prefer early access for familiarization—as long as they don’t start testing prematurely.”
Vanta’s guide is at https://www.vanta.com/resources/guide-to-working-with-auditors-for-startups
(Wombat image via Imagen 3)
PS to cybersecurity product marketers
Are you getting YOUR product’s message out? Or is a stretched team holding you back from creating stellar marketing materials?
Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/
Bredemarket 
3 Comments