In this episode of 7 Minutes on ITSPmagazine from HITRUST Collaborate 2024, Sean Martin is joined by Michael Parisi and Ryan Meehan from Schellman to discuss the intricacies of streamlining IT audits and compliance for major companies. Discover how Schellman enhances cybersecurity and compliance efficiency while helping organizations navigate audit fatigue and board-level transparency.
Schellman, founded in 2002 as SAS 70 Solutions, was originally focused on just one audit standard; the SAS 70 (subsequently replaced by SOC 2). As the client base grew so did the request to perform other audits outside of the SAS 70. Schellman grew its offerings over the past 20+ years by identifying client needs and then determining if we have the skillset and expertise to deliver high quality work. We have always stayed true to our core strengths and expertise, which is why Schellman is the only Top 100 CPA firm that specializes in IT Audit and Cybersecurity.
Schellman provides full-spectrum cybersecurity third-party audits, assessments, and certifications. In a marketplace with growing cybersecurity compliance needs, organizations are struggling to incorporate additional framework and regulations in an efficient and effective way. At Schellman we harnesses our expertise and deep knowledge across the compliance standards to roadmap audits throughout the year that promotes the highest return on evidence collection and subject matter expert time.
By performing specific assessments in a staggered or parallel fashion, Schellman is able to collect once and test many; both in terms of information from subject matters experts and evidence from business stakeholders. The broad range of our compliance offerings, along with our combined audit approach and depth of expertise sets Schellman apart. Schellman's approach was built to provide expertise and quality work while valuing and respecting the time and stress assessments/audits place on an organization.
Learn more about Schellman: https://itspm.ag/schellman9a6v
Note: This story contains promotional content. Learn more.
Guests:
Michael Parisi, Head of Client Acquisition, Schellman [@Schellman]
On LinkedIn | https://www.linkedin.com/in/michael-parisi-4009b2261/
Ryan Meehan, Director, Schellman [@Schellman]
On LinkedIn | https://www.linkedin.com/in/ryan-meehan-cisa-cissp-ccsfp-iso-lead-cipp-71a5939
Resources
Learn more and catch more stories from Schellman: https://www.itspmagazine.com/directory/schellman
Learn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Effectively Managing a Growing Compliance Program While Minimizing Audit Fatigue | 7 Minutes on ITSPmagazine From HITRUST Collaborate 2024 | A Schellman Short Brand Innovation Story with Michael Parisi and Ryan Meehan
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00]
Sean Martin: And here we are, ready for another seven minutes on ITSP Magazine with a new short brand story. And, uh, I'm thrilled to have Michael and Ryan on from, uh, Shellman. And Shellman's all about streamlining IT audits and attestations. For some of the world's largest companies. Thanks for joining me, Michael and Ryan.
Thanks Sean. Thank you. So Michael, you and I have had a gazillion chats. Too many. About risk and all kinds of fun stuff. Um, so I'm going to start with Ryan. Maybe, Ryan, can you give me an overview of How and when Shellman was founded, what its purpose is.
Ryan Meehan: Sure. So Shellman was founded over 20 years ago.
Originally, we were actually called SAS 70 Solutions. SAS 70 was a single standard that existed. Very niche. Actually, it's what's now called a SOC 2. And as we started to grow, our clients said, Hey, do you do this? And we said, No, we don't do that. We just do this. But eventually we said, you know what, our clients really like working with us.
We should probably look into it. And so as we grew, we started adding more things that just helped to support our clients and whatever needs they [00:01:00] had in the compliance space.
Sean Martin: And speaking of working with clients, what's it like? Having an engagement with Shulman, kind of the workflow or the process.
Michael Parisi: Oh, right.
I'll let you start.
Ryan Meehan: Sure. So I think planning is key with any of our engagements, especially on clients that are doing multiple audits, right? Roadmapping is so important to figure out how do we fit all of this into one year? Without, you know, making everybody feel the audit fatigue that everyone talks about, right?
So, starting with the planning of road mapping it out, and then starting early. Making sure that everyone feels comfortable about what all the steps are, what the dates are, having meetings early. Working with us is, is the ability to not feel like you are having an auditor just be dumped in to do the audit, and then extracted back out.
We're with you the whole way. We're holding your hand, we're making sure you understand the process and that you feel comfortable.
Michael Parisi: Yeah, I would add on to that, Sean. You know, what we're focused on is compliance is the outcome, security is the mission. And so everything that we do [00:02:00] to help organizations consolidate their assessments, their audits, their attestations, is really focused on improving their cybersecurity programs, but ultimately getting them the compliance needs that they have from a business perspective.
Sean Martin: What are some signs of fatigue? I mean, there's the physical part of it, but are there signs in the program that
Ryan Meehan: Yeah, sure. So it mostly deals with when our clients, the compliance group that we're dealing with on the client end, they have to go out to all these business folks and they have to ask them, Hey, I need this piece of evidence.
If they go to them multiple times a year, it starts every time you go back, it's a louder responsive. Oh, not again. The grumbling gets louder. You get less buy in. And when you have less buy in on these compliance programs, it's hard to show to people that there's a significance to it, right? It's hard to show to them that this is worth you doing.
Yeah.
Michael Parisi: And I would add on to that when you think about all the requests around documentation and evidence that organizations need to produce in support of an assessment or an attestation. Oftentimes that will sit with their assessors or their [00:03:00] auditors for weeks, if not months. By the time they pick it up, they realize, well, that doesn't satisfy the request.
So one of the things that we've done is we've implemented something called FTR, first time resolution, which is every time we get a piece of evidence, we look at it immediately. Yeah. Absolutely. in order to resolve any issues that may exist. And we actually track that from a metric perspective and organizations are able to report on that at the board level.
Sean Martin: And speaking of board, um, do you, do you get to work with a lot of boards to, to create the culture?
Michael Parisi: Right. I'll start there. I mean, oftentimes we present alongside our stakeholders from a management perspective with the board to help them understand why is transparency and trust relative to cybersecurity important for that organization.
And I think we've all seen with a number of adverse events that have happened, the pressure is really on for organizations to ensure they have good cybersecurity posture.
Ryan Meehan: Yeah, and I think unfortunately, sometimes we can be the ones that help enter that dollar value that often has a larger, [00:04:00] you know, resonance with the board.
So talking about how much a breach would cost per person, talking about what recent fines looked like. Unfortunately, that's the type of data where the scare tactics unfortunately sometimes work, but we're often working in tandem with them to figure out what is the best pathway to show what's going to be beneficial from this audit.
Sean Martin: Speak to me about some of the stakeholders you work with. I presume the sea level. C suites, CSO and CRO and what not. I
Michael Parisi: mean, you know, your usual characters that you would expect, right? So, CSOs, uh, Chief Privacy Officers, Heads of Enterprise Risk, for example, sometimes Heads of Internal Audit, as we've entered the co sourcing space with Internal Audit Testing.
So, a number of others. In some instances, it may be the CFO or the COO. Right. As we talk about the cost of compliance, it's funny, you and I have talked about this before, where can you actually quantify the cost of compliance? You can, but a lot of organizations think that they cannot. And we have those conversations with CFOs often.
Ryan Meehan: I think that's a really [00:05:00] important point you were making actually because one of the things I try to tell clients that work with us is one of the costs I can't quantify in a contract for you or giving you pricing is the amount of internal time that you save by compiling your audits in the right way internally, right?
Like me coming and asking one time for something. Saves how much time internally for you asking that those set of questions one time it'll walk through, and that covers four audits. How much time did that save your internal resources, right? Like, that is something I can't put down because it's saving you.
It's not saving us, right? We still need to do all the same testing we've done.
Sean Martin: So let's speak to outcomes as we as we kind of wrap up here. I don't know if you have a use case or user story or customer story you want to share about maybe some of those savings that Yeah, that's something they've said.
Ryan Meehan: So we're here at the, the High Trusts Conference, right?
So we'll take a HITRUST E one, which is the Essentials one year certification. Uh, I went through and looked at the SOC two and the ISO 27,001 and I said, Hey, from an evidence standpoint, what could we re-leverage for the SOC two that we're [00:06:00] already gonna have for the E one? And it was 66 to 70% overage in the evidence.
So when we go and we work with clients, when I'm providing them a request list, they get a request list of evidence that says, Hey, here's everything that I need. And if you provide all these things, we're good on both ends. So it's seamless from their perspective when they provide something to us and they know that it's sort of a collect once, test many approach.
Michael Parisi: Yeah. And I'll be talking about this on Thursday, but reciprocity is key. Right, so we have a number of organizations that have gone through the HITRUST R2 as an example and they've achieved state ramp authorization. It's helped them with fed ramp authorization in addition to SOC 2 and ISO 27001.
Sean Martin: And maybe one quote from, from one of your clients.
I know you have a gazillion of them. You're a great guy to work with. Something somebody told you that you remember.
Ryan Meehan: I was really scared that I was making the wrong decision going with you guys. And I can't imagine not having gotten with you.
Michael Parisi: I didn't know who Shellman was [00:07:00] until I met you.
Sean Martin: There you go.
That's fantastic. And that's seven minutes here on ITSB Magazine. Thank you, Michael. Thank you. Thank you.