In this episode of 7 Minutes on ITSPmagazine from HITRUST Collaborate 2024, Sean Martin is joined by Shreesh Bhattarai to share his insights on how A-LIGN has become the leading provider of high-quality, efficient cybersecurity compliance programs and provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI.
The focus is on HITRUST assessments, specifically the e1 certification, which provides an entry-level approach to cybersecurity compliance. The session emphasizes that compliance is an ongoing process and highlights the HITRUST e1 framework's adaptability to evolving threats. It also discusses the value proposition of the e1 certification, its affordability, and its suitability for low-risk organizations, as well as its synergies with existing SOC2 and ISO certifications.
A-LIGN was founded in 2009 by CEO Scott Price to help companies like yours navigate the complexities of cybersecurity and compliance by offering customized solutions that align specifically with each organization’s unique goals and objectives. We believe your business can reach its fullest potential by aligning compliance objectives with strategic objectives. Working with small businesses to global enterprises, A‑LIGN’s experts coupled with our proprietary compliance management platform, A‑SCEND, are transforming the compliance experience.
A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and HITRUST and a top three FedRAMP assessor.
Learn more about A-LIGN: https://itspm.ag/a-lign-uz1w
Note: This story contains promotional content. Learn more.
Guest: Shreesh Bhattarai, Director of HITRUST, A-LIGN [@aligncompliance]
On LinkedIn | https://www.linkedin.com/in/shreesh-bhattarai-cisa-ccsk-hitrust-ccsfp-chqp-5a052837/
Resources
Learn more and catch more stories from A-LIGN: https://www.itspmagazine.com/directory/a-lign
Learn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Guiding Organizations on the Next Steps in Their Compliance Journey | 7 Minutes on ITSPmagazine From HITRUST Collaborate 2024 | An A-LIGN Short Brand Innovation Story with Shreesh Bhattarai
Sean Martin: [00:00:00] And here we are. We're ready for another seven minutes on ITS me magazine with a new short brand story, and I'm thrilled to have Sharice Bader Eihan with me from A Line. Good to have you. And A Line is all about helping organizations throughout their compliance journey, which we're going to talk about what that looks like today.
Um, maybe if you can just start off with an overview of who A Line is and what, what services you offer.
Shreesh Bhattarai: Sure. Yeah. So we're a cybersecurity company that we specialize in audits across all major frameworks. SOC, ISO, PCI, you name it, we do it. We're also proud to be one of the highest volume HITRUST assessor firms.
So, which means that we get a front row seat in recognizing and understanding people's organizations compliance roadmap and where they start, where they finish, what kind of risk profiles that they have. So we have that ability to look at.
Sean Martin: And you, you, you're all about HITRUST. That's your role. Yeah, that's what,
Shreesh Bhattarai: that's what I do is run the HITRUST team and we have [00:01:00] We do a lot of assessments every year and that's, you know, it's, it's common for organizations to start off their compliance journey with a software attestation and ISO 27001 certification.
But once they've established that foundation, the question that every CISO or senior leadership in an organization should be asking is, well, what's next? Because Sean, you and I know compliance is not a one stop destination. There's no finality to the process. It's an ongoing journey. And the journey entails continuously strengthening the security posture of the organization, especially in today's, you know, rapidly changing cyber threat landscape.
And so the question becomes, well, is there a framework that exists that is extremely robust, extremely, um, scalable. It's a certification, not an attestation. And most importantly, it uses this maturity model that ensures that your security. [00:02:00] roadmap does not stay stagnant. It is constantly evolving and dynamic.
And the answer to that question is yes, a framework that does exist and it's called the HITRUST CSF. And within the HITRUST CSF, you have different tiers of assessments. You have the R2 assessment, which is the highest tier, which you have the I1 assessment, which is the middle tier. And then you have the E1 assessment, which is the lower foundational tier.
And it has never been easier for organizations to tag on that comprehensive of a framework into their existing portfolio of a SOC 2 and an ISO 27001.
Sean Martin: So talk to me about getting started because I think the success certainly with SOC 2 and 27001 is rooted in that initial entry of getting started, which is the hardest part for a lot of organizations.
Um, but. At that, at some point you have those two and probably other things, which is where Hytress comes in to kind of bring them all together and raise the bar some. So talk to me a little about [00:03:00] the E1 and how that helps.
Shreesh Bhattarai: Yeah, so I think what Hytress has done tremendously over the last few years is as that it has really recognized the need of having different tiers of assessments within the market.
And so can we provide a smaller version of the Hytress still entailing the robustness of the framework, but the E1 assessment being on the lower side of being able to afford, and it has tremendous efficiencies to tag onto the ISO and the SOC. SOC reports and ISO 27001 certifications, those are great broad overview to start your compliance program.
What HYTRS does differently is that it is extremely prescriptive in nature, and so with a static 44 requirements, Within the E1 assessment, it really focuses on your data security, which is never been, you know, it requires that level of security because you are dealing with patient data, you are [00:04:00] dealing with other sensitive data.
So that's where the value lies is its comprehensive nature.
Sean Martin: And how does, how does the engagement with A Line and your team perhaps change the way organizations look at their programs? Um, not just from a tick the box perspective, but actually. Implementing controls on a meaningful way.
Shreesh Bhattarai: Yeah. So after they've, they have some level of foundation built with a SOC to an ISO, it is become extremely easier to tag onto that you want assessment to the compliance for employees.
It's never only a checkbox. There are a lot of synergies that are gained. Uh, you know, we, we can go down the details in terms of what those are, but if you've done a SOC, if you've done an ISO certification tagging on an E1 is half the work is already done. And the other half, you know, speaks to the level of robustness that E1 has.
So whether that's having to provide more population and samples, things like that, it, it, the level of robustness requires you to do that extra [00:05:00] work, but you're half of the way there.
Sean Martin: So who do you typically work with, um, in terms of types of organizations, are they small, medium business, large organizations?
Shreesh Bhattarai: We don't discriminate. We have clients that are on the S market side. We have medium businesses, and we have enterprise. So smaller ones tend to go with the E1 assessment and then kind of build their way up as their risk profiles change. And the enterprises are, they're like, yeah, let's go, let's do the R2 right off the bat.
Sean Martin: And when you're working with them, what, um, what are some of the challenges that you help them overcome?
Shreesh Bhattarai: Well, the first is the organizational buy in. I think there's a lot of educational labs in terms of recognizing, well, we've built this great business. but then compliance kind of gets put on the side.
It's not, it's on the back burner. It's not the priority. And so to try to get that level of education up at the senior leadership level is our main challenge. Once you get there, once they recognize that yes, [00:06:00] compliance is extremely necessary, especially when the bad actors are in abundance. Once we get that message, then everything kind of flows well from there.
Sean Martin: And in terms of the, the outcomes of your scene with your clients. So there's getting started, but then there's the ongoing journey. Companies grow, they, they acquire other companies. So talk to me a little bit.
Shreesh Bhattarai: A hundred percent. So I look at the ingestion of the high trust assessment in two fold. One is obviously the security fold and I've articulated why that is very important.
The other pillar is the ROI pillar because most of the companies that we're working with, they are being backed by private equity firms. They're being backed by VC firms and we all know what is that they want. They want great return on their investment. And there are ample, ample data that demonstrates that once you've tagged on and you want certification, I want R2, the Hytro CSF framework in general, it gives you an immense advantage in securing that next deal because you're going to [00:07:00] put yourself, uh, ahead of your competitors.
And so the ROI piece to the puzzle is extremely great.
Sean Martin: Perfect. Well, Sharish, thanks for sharing this story about Align with me and that's seven minutes. Thanks, Sean. Appreciate it on ITSV magazine.