Ask the Compliance Expert: 10 Questions with Fortuna Gyeltsen, CISSP, CISA, PMP, CCSK, Security+

  • September 29, 2022
Author

Anna Fitzgerald

Reviewer

Fortuna Gyeltsen

Achieving and maintaining continuous security, privacy, and compliance can be challenging — especially if you’re doing it on your own. Secureframe’s mission is to provide cutting-edge automation and expert guidance to simplify and streamline the compliance process at every step. 

We not only have a GRC platform that automates and streamlines the end-to-end compliance process. We also have certified information security experts and former auditors that offer every customer complete support before, during, and long after the audit. 

Today, we’re introducing you to compliance expert Fortuna Gyeltsen. Fortuna has been with Secureframe since October of 2021. In that time, she’s helped dozens of companies obtain and maintain the most rigorous global compliance standards and stronger security postures.

1. Can you tell us about your background and previous work experience? How long have you been in the security and compliance industry?

I’ve been in the industry full-time for about 6.5 years, but I’ve been part of the industry for nearly thirteen years total counting my internship. From the time I was 16 until graduating college at 22, I spent summer and winter breaks working in an office and data center for a government agency on security and compliance-related work. 

When I started working full-time, I began in the healthcare industry for a few years and then transitioned back to security and compliance. At Blue Canopy, I provided security support services to a federal agency and performed security controls assessments for another agency. I actually started as a project manager, but of course there was more to do than there were people, so I started assigning myself work and studying for the Security+ off-hours. I eventually went from doing 80% project management and 20% technical assessments to 80% technical assessments and 20% project management.

Then, I transitioned to solely performing those assessments for a variety of customers at Coalfire. Before joining Secureframe, I was a dedicated resource to a major cloud infrastructure client. In that role, I expanded into different compliance frameworks and managed dozens of their data center assessments.

2. What is your area/framework of specialization?

Because I was dedicated to that one customer in my last role before Secureframe, I was able to expand across different frameworks like ISO 27001, SOC 2, PCI DSS, BSI C5, and DoD IL 4 and 5. At Blue Canopy, I mostly did FISMA.

But my main specialization and where I’ve spent the majority of my career at Coalfire is in FedRAMP.

3. What excites you most about the security and compliance industry?

There’s so much uncharted territory and there are always changes in technology so I could never get bored. It takes a certain level of critical thinking, creativity, and imagination on how to apply fundamental security concepts and that’s exciting to me.

4. What’s a common misconception people have about security and compliance?

Security and compliance are different goals and sometimes people talk about them interchangeably. A lot of misconceptions revolve around the idea that security and compliance is just a checkbox.

That’s completely okay for a starting point. In fact, that’s why compliance frameworks exist: to give people a starting point. But requirements can be very vague and repetitive and, again, technology and the threat environment are constantly changing so you have to be proactive about how you meet those requirements. That’s critical in maintaining a strong security posture. 

Thinking about the intent behind why such requirements exist brings a lot more value in the long run than someone just trying to do the bare minimum to check the boxes.

5. Why did you choose to work for Secureframe?

There are many reasons but I’ll name two. First is the opportunity to build something. Before Secureframe, I was an auditor. As an auditor, the nature of the position is that I critiqued someone’s system and was limited to an outside perspective. I didn’t get to build anything or go in-depth and I get that opportunity here. 

Second, security automation is an area where there are countless organizations trying to figure it out and that’s exciting. I wanted a seat at the table.

6. What’s your role in the compliance process for customers?

I answer a lot of compliance-related questions from the time that organizations are potential customers to after they’ve completed an audit. My team is always a resource.

The most involvement is when we perform readiness assessments or mock audits to review their Secureframe instance. In my readiness assessments, I personally take a look at all of the artifacts they’ve uploaded into the data room and critique the quality of those artifacts. I also ask questions and ask for clarifications to prepare them for the types of things that their auditors will ask.

7. What pain points are you passionate about solving for customers?

Traditionally, if you don’t have any automated tools, preparing for an audit is very manual. You’re grabbing screenshots, filling out spreadsheets for tracking, and so on. It eats up a lot of time and resources. To me, it’s very shallow work. You’re spending so much time and energy collecting evidence that you don’t get to zoom out and think about what exactly you’re doing and whether it’s meeting your organizational needs. Because when you’re pressed for time and resources, you’re more likely to want to just hit what the requirements are and, like I mentioned before, achieve the bare minimum. And that makes sense because at some point, you have to move on as a business.

The thing that’s cool and what I’m passionate about solving for customers is cutting down on that shallow work so that they have the capacity to think big picture about areas for improvement, if they choose to.

8. Can you share an example of a challenge that you helped a customer overcome in their compliance journey?

A lot of the more impactful conversations I’ve had are helping customers scoping their audits, answering where do I even start and where do I draw the line?

We have some customers who have environments that are more straightforward and they don’t need as much help connecting integrations and knowing what to provide as evidence. But we have other customers who are in a multi-cloud environment or they use tools in a different way than how they’re traditionally used. Or maybe they have different kinds of data or how they manipulate that data is unique. So for them, it’s not as straightforward as “Oh, I use these integrations. Let me connect them and I’m ready to go.”

After I have that conversation to better understand the customer’s environment and help them scope what they need to consider for their audit, then they have a much easier time getting audit-ready. A lot of the value that me and my team provide is giving hands-on consultation versus if we just provided the tool and expected customers to know what their audit scope is and what artifacts to upload. That would be much harder.

9. What’s your #1 piece of advice for people who are preparing to undergo their first compliance audit? 

Don’t do it alone — leverage the knowledge of experts. Doing anything for the first time is much easier and more effective if you have a teacher or coach.

I mentioned before that compliance requirements can be quite vague and repetitive so for someone going through an audit for the first time, that can mean a lot of wasted effort and time. Having an expert on your side from the beginning can really help translate those requirements and simplify exactly what they mean and what kind of evidence would be considered acceptable.

10. What do you see as the biggest organizational benefit of a strong security and compliance posture?

Gaining and keeping trust of your customers and a solid reputation. Like I previously discussed, say an organization is more focused on compliance and checking boxes than looking at compliance and security. They don’t want to follow best practices because they just want to do the bare minimum to meet requirements and get it done. If they subsequently have a breach, then their audit report or certification isn’t as valuable as a selling point to their customers.

Get compliant with expert help

Want to work with Fortuna or another member of our compliance team? Schedule a demo of Secureframe to learn more about how our platform and in-house experts make security, privacy, and compliance fast and easy.