Like many tech companies, Metadata.io built its B2B marketing automation business from the ground up, consistently adding key functions like personalization, prospect data enrichment, and creative micro-targeting strategies.
As it was growing, the company did its best to comply with critical attestations and standards like SOC 2 Type II and ISO 27001. But most of the focus was on building the company’s core assets, not thinking of ways to streamline and automate compliance.
These frameworks aren’t easy to comply with. Although they share about 60% of the same controls, they are completely different frameworks and require different processes.
The company did the best it could to comply with these controls with largely manual processes. All controls were written in spreadsheets, with no owners of specific controls and no way to ensure version control. Controls were stored in nested folders and Google Drive.
After a few years, it became clear that the compliance process simply wasn’t working. To address the issue and shore up security in general, Metadata.io hired veteran CISO Raymond Taft.
A Tangle of Manual Compliance
“When I first got here, the company was just shy of about three months of its Series B fundraiser. It was still a very scrappy company,” Taft says.
The first order of business was addressing the haphazard way Metadata.io was handling compliance. The current, largely manual system made it difficult to track compliance and ensure that controls were continuously monitored.
“Every single background check and confidentiality agreement had to be marked in a folder. It can take an enormous amount of time if you’re continuously grabbing evidence for every one of those controls and putting them in these folders,” Taft says. “It ends up being a nightmare to collect because you have to go back to that spreadsheet to, for example, collect evidence on specific need to things on specific days.”
It was also labor-intensive, taking six people to do nothing but evidence collection. That’s a lot of people when the total employee count is only 40.
Taft also discovered that the company was missing controls around background checks, performance reviews, and continuous monitoring of its cloud environment. Perhaps even more concerning was the haphazard way that data loss prevention, and security in general, was monitored and controlled.
“I knew within the first three months of working here that it would never scale as the company planned to grow to three or four times its current size,” he says.
Without automation, Taft could see the writing on the wall. In addition to losing customer trust, the company would have had to continue spending a lot of money on evidence-gathering, and may have ended up outsourcing the entire function.
Automating Compliance via Outsourcing
Automating the compliance function was the only way Taft could see to gain control and ensure that controls were being consistently met. He didn’t think it was a good idea to try to automate the function internally; not only was it not a core competency of the company, but it would incur a significant learning curve and take a significant amount of time.
Compliance automation is a good option for many enterprises, says Rik Turner, a cybersecurity analyst at Omdia.
“If your business spans multiple verticals and/or geographies, it’s likely that you will be subject to multiple compliance requirements. This makes complying with them all a time- and resource-consuming undertaking, so automating your compliance activities represents significant potential savings,” he says.
In addition, a typical human-driven compliance project is carried out on a monthly, quarterly, or even semi-annual basis, which means that it provides only a point-in-time view of compliance at the moment it was completed. An automated approach, on the other hand, holds the promise of continuous checking and alerting as soon as a change to the infrastructure or business processes risks slipping out of compliance, he adds.
Taft wanted a full-stack automation tool that would be able to configure policies, identify control failures or other issues, and quickly incorporate new controls. He also wanted to ensure that the solution could integrate with the stacks Metadata.io used most commonly. That included Jira, AWS, and GCP, along with its background check provider and HR platform.
“We knew if we could plug into those and continuously gather evidence, we could knock off more than 80% of our total evidence-gathering requirements for the year,” he says.
There are plenty of tools that meet the requirements around continuous compliance, Turner says. More specifically, he notes that vertical and geographical breadth of coverage is key. But most importantly, he adds, potential buyers should check whether a tool that measures compliance stops at the alerting stage or can actually remediate situations when it detects that a change has caused the organization to slip out of compliance.
With these issues in mind, Taft settled on Drata for automated compliance monitoring. The tool automates evidence collection from all of its tooling, querying it every second of the day and reporting on status. It also communicates the state of Metadata.io’s compliance program to auditors through a portal that also allows them to ask questions.
Building on Good Results
Since the implementation, Metadata.io’s internal compliance team has been reduced to four people, even though the company has now grown to more than 100 employees. Taft says companies Metadata.io’s size typically have compliance teams of 10 to 15.
The company also realized an unanticipated benefit: being able to fold some of its services into Drata via its trust center. Before, the company was paying $30,000 per year to upload its documentation to a trust center, where customers could access it. Drata’s solution includes a trust center, saving the company that money.
That’s just part of the cost savings. Taft says that all told, automated compliance has resulted in a 6x reduction in cost.
Time savings also has been substantial. For SOC 2 Type II and ISO 27001 compliance audits alone, for example, prep time went from six weeks to two weeks. Taft says that he recently met with the company’s auditors for a total of five hours for the audit period. Last year that took four days.
With SOC 2 Part II and ISO 27001 fully automated and under control, Taft’s next project is expanding into other compliance projects like ISO 27701, which is focused on data privacy, along with other frameworks.
The key to expanding, he says, is leveraging the automation tool’s approach to control mappings and its ability to cross-map.
“There are dozens of frameworks, and they all share a little bit of DNA with each other,” Taft explains. “The cross-mappings could be horrendous and could take months. For example, how does ISO 27701 relate to privacy for SOC 2?”
Drata’s control and framework mapping enables users to click on a framework and see which controls apply to it. With that information, it’s fairly simple to determine what’s needed in terms of human resources to adopt the new framework, he says, and whether it makes sense for the business to move forward with it.