Ask the Compliance Expert: 10 Questions with Cavan Leung, CISSP, CISA, CCSK

  • October 13, 2022

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe


Cavan Leung

Senior Compliance Manager at Secureframe

Secureframe’s goal is to empower companies to manage their security, privacy and compliance programs to meet the demands of today and tomorrow's business environment.

To do so, we act as their in-house compliance team. Each customer is provided with a certified information security expert and former auditor to help them build an effective and scalable compliance program from the beginning.

Today, we’re introducing you to compliance expert Cavan Leung. Cavan has been with Secureframe since November of 2021. In that time, he’s helped dozens of companies meet and adapt to evolving compliance needs.

1. Can you tell us about your background and previous work experience? How long have you been in the security and compliance industry?

I graduated from University of Florida with a degree in Management Information Systems (MIS). After college, I started my career at one of the Big Four accounting firms, Deloitte. At Deloitte, I was involved with information security implementation on enterprise resource planning (ERP) systems and Sarbanes-Oxley (SOX) compliance audits for Fortune 500 companies.

After Deloitte, I joined Schellman where I managed and performed compliance assessments for medium-sized to Fortune 500 companies, touching upon different security and privacy compliance frameworks including SOC 1, SOC 2, GDPR, and ISO 27001, to name a few.

In total, I have over eight years of experience in the security and compliance industry.  

2. What is your area/framework of specialization?

My experience encompasses many frameworks, but if I had to choose one, it would be ISO since that is where my personal interest lies. Nonetheless, I am very comfortable and well versed with a variety of frameworks, including SOC 2, HIPAA, GDPR, CCPA, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 9001, and others.

3. What excites you most about the security and compliance industry?

To me, what’s most exciting about the security and compliance industry is that it’s always evolving. There are constantly new technologies that emerge in the market, or existing technologies that are changing for the better. Automation is a critical component of the industry’s evolution and also a big part of the reason why I joined Secureframe.

I see many opportunities not only in terms of automating different aspects of security and compliance on the audit front, but also emerging technologies and capabilities that would allow organizations to implement, monitor, and improve their security posture as a whole. We are all experiencing this evolution firsthand and it is only the beginning.

4. What’s a common misconception people have about security and compliance?

A common misconception about security and compliance is that it stops once you finish an audit. Information security is continuous and evermore critical as part of doing business today. 

With the constant emergence of new business-enablement technologies, it also means emergence of new information security risks and threats. Therefore, as an organization, it's important to embed information security as part of your culture, and you should always strive to continually improve your security and compliance posture to minimize new risks. 

Some companies try their hardest to get their SOC 2 compliance or ISO certification and then, further down the line, don’t continue to improve their own security posture. Technology is evolving so fast that if you don’t keep any eye on it, you might be at an even bigger risk of a security incident or having a vulnerability you’re not aware of.

5. Why did you choose to work for Secureframe?

I chose to work for Secureframe because of what we are doing in the security and compliance space. Secureframe is at the forefront of the security compliance evolution and I wanted to be involved to help it pave the way. We are helping organizations streamline and automate security compliance in a one-stop-shop platform.

Coming from a compliance background, I have seen many compliance products, but the majority were siloed solutions and didn’t provide a comprehensive and holistic platform. So it was a breath of fresh air to learn what Secureframe was offering.

Since joining, we have continued to expand our product scope and introduced new exciting features and capabilities. We are not stopping here though — more yet to come!

6. What’s your role in the compliance process for customers?

I become a companion in every step of their compliance journey, explaining how best to implement security controls and programs based on the context of their organization. Ultimately, my responsibility is to ensure customers have a well-implemented security program in place, provide guidance on any nuances or caveats, and enable our customers to complete an audit without any major issues. 

7. What pain points are you passionate about solving for customers?

I’m most passionate about guiding customers through the compliance journey. It can be burdensome without proper guidance. I enjoy providing that educational aspect of security and compliance to all my clients.

I am also excited to see our clients save time and effort by leveraging our platform’s automation capabilities. This makes many aspects of their compliance efforts easier and it's certainly a relief on their end.

Because of this, I am passionate about expanding our automation capabilities by gathering feedback from our customers and then working internally with our Engineering and Product teams to help implement new features. This simplifies their compliance journey and helps them implement an efficient and effective security program that can be maintained over the long term. 

8. Can you share an example of a challenge that you helped a customer overcome in their compliance journey?

Many companies struggle with a lack of clarity working with different compliance frameworks. Security frameworks are not the most straightforward and may require a compliance background to understand what exactly needs to be in place. So as part of the customer’s journey, I’m not only guiding them on what they need to have in place, but also providing that educational aspect on the “why” and demystifying requirement nuances and caveats for each of the compliance frameworks they are pursuing. 

Due to business needs, many customers pursue more than one compliance framework at the same time — like SOC 2, ISO 27001, and GDPR. Companies may also have limited resources in terms of time and personnel. So I provide a clear path for the customer, taking into consideration their unique environment and what would be in scope for each framework. I help them implement controls and security practices appropriately, understand why they’re implementing them, and maintain them going forward. 

9. What’s your #1 piece of advice for people who are preparing to undergo their first compliance audit? 

All frameworks have their own unique nuances and caveats. Listen to your compliance expert because they come from that background and know what needs to be in place. There’s a lot of nuances that you wouldn’t know if doing it on your own for the first time.

And don’t be afraid to ask the “why” of things. Understanding what risks the frameworks or controls are addressing gives companies a better perspective on why they’re doing what they’re doing. But also consider utilizing a comprehensive compliance platform like Secureframe that can help simplify your compliance journey from beginning to end. 

10. What do you see as the biggest organizational benefit of a strong security and compliance posture?

The biggest benefit of a strong security and compliance posture is minimizing information security risks. Today, there’s a lot of ransomware, data breaches, and other cyberattacks. Information security and compliance programs help minimize those risks to ultimately protect your own data and your customers’ data. In turn, this helps establish trust between you and your customers.

Leveraging a platform like Secureframe can help your organization not only establish a strong security and compliance posture, but also maintain it going forward. 

Get compliant with expert help

Want to work with Cavan or another member of our compliance team? Schedule a demo of Secureframe to learn more about how our platform and in-house experts make security, privacy, and compliance fast and easy.