Ask a Compliance Expert: 10 Questions with Jonathan Leach, CISSP, CCSFP, CCSK
One thing we constantly hear from customers is that our team of compliance experts is their lifeline.
Achieving compliance with stringent frameworks like SOC 2 and ISO 27001 or comprehensive data privacy laws like GDPR can be stressful and overwhelming. It’s Secureframe’s mission to simplify and streamline the compliance process, both with cutting-edge automation and expert guidance.
Having a certified information security expert and former auditor in your corner throughout the entire process can make a world of difference. They can answer all of your technical and audit-specific questions and help you implement security processes and best practices. It’s why we provide each customer with a dedicated compliance manager for complete support at every step — before, during, and long after the audit.
Today, we’re introducing you to compliance expert Jonathan Leach. Jonathan lives in Steamboat Springs, Colorado and has been with Secureframe since March of 2021. He’s helped dozens of companies achieve and maintain certifications and stronger security postures.
1. Can you tell us about your background and previous work experience? How long have you been in the security and compliance industry?
I graduated from the University of Denver, where I studied International Business and Mandarin, and then worked in IT and accounting information. I was responsible for tasks like checking balances and access controls, network security, etc. I’ve been working in IT and information security specifically for over a decade now.
During my time at InteliSecure, I started working on a small managed services team managing security tools. Then one day the CEO asked if someone wanted to join the sales team. They needed someone who knew the intricacies of the product and could explain it to customers. I made the switch to that role until the sales rep structure changed. They wanted someone local to represent each geography, and I didn’t want to move away from Denver. Someone from the consulting team invited me to join them, and ever since I’ve been more on the consulting side of things.
So I’ve gone from managing different programs like ISO 27001 to selling them and now on the consulting side, putting them into place or helping improve implementation. At Coalfire, I was once again a consultant, sometimes a virtual CISO, but my role was to build security programs, either to a specific framework or to adopt best practices, and perform audits. At Coalfire I helped customers build up their security programs and prepare for an audit, and then either helped them go through an audit or performed an audit.
Now I get to wear all of these different hats here at Secureframe, whether it’s helping a customer build a new security program from the ground up, adhere to a specific framework or multiple frameworks, do an internal audit, or go through the external audit process.
2. What is your area/framework of specialization?
I am a Certified Information Systems Security Professional (CISSP), which is widely considered the ultimate certification in information security because it’s both wide and deep.
That said, my greatest familiarity is probably around ISO — I’ve been an ISO 27001 lead auditor since my days at InteliSecure. I also helped pioneer Secureframe’s ISO 27701 offering with a specific customer before we went live with it. So I’m very well versed with the international frameworks: ISO 27001, ISO 27701, GDPR, as well as HIPAA and HITRUST.
3. What excites you most about the security and compliance industry?
The future of this industry is so exciting. It’s a big part of what drew me to Secureframe — we’re really shaking things up with automated evidence. Being able to bypass so much back-and-forth confirmation is an absolute game-changer. “Does this screenshot satisfy this particular control?” That’s the stone tablet and chisel method of compliance, the old way of doing things.
Compared to how we’re doing it now with almost instant verification. You connect the integration, hit sync, and for most of our tests you can know immediately if something meets the requirements for a specific framework. The opportunity to help the industry get used to that and making it the new standard is pretty cool. You’re seeing larger companies now play catch up to a degree.
4. What’s a common misconception people have about security and compliance?
That it’s not awesome or interesting. It might be something that you have to do, but that doesn’t mean it has to be a slog. We’re here to make the process, from beginning to end and beyond, as painless as possible, and maybe even fun.
5. Why did you choose to work for Secureframe?
Ultimately the people and culture drew me to Secureframe, and it’s what I enjoy most even now. Obviously, the entire Secureframe team as well as the individuals that you work directly with is a big part of that, but our customers and partners are too. All of the people that I get to interact with, from my teammates in compliance to the customers I work with and our auditing and pen test partners, everyone is a real joy to work with.
There’s also a pervasive ownership mentality here at Secureframe. People are driven to own what they’re working on, and if you know someone who can help you, you’re able to go to them directly to get that help.
6. What’s your role in the compliance process for customers?
We usually come in after a customer has finished their onboarding with customer success. They’ve optimized their use of the platform and gotten everything integrated and working. If the customer has a question that stumps the customer success team, that’s when a compliance resource can get involved directly or provide an answer as a team. Also, if a customer has a bunch of technical or audit-specific questions early on where it would be easier for us to have a direct conversation with them, that’s another case where we would step in and get involved earlier in the process.
Typically though, once a customer has finished onboarding and has most of the different tests passing, that’s when we schedule a readiness assessment with the compliance team. We do a mock audit and complete a high-level overview where we answer any general questions or talk about specific tests. For example, maybe they’re doing something slightly different than what the test is looking for, and they want to know if what they’re doing still meets the requirement.
We stay involved throughout the audit process. Some customers will need a little extra support or their auditors will have questions that the customer wants clarification on before they send an answer back.
We also offer assistance when they have another audit in the following years, or perhaps something on their side changes. For example, they implement something new, or a new person steps into the role and we show them the ropes.
Some of our customers have their own consultants, and we work with them to show how they can both own the management of the system and the associated security frameworks and certifications while showing how a more efficient approach is either saving their client money or allowing them to focus their attention on larger priorities.
7. What pain points are you passionate about solving for customers?
My goal is to make the whole certification/audit process and management as stress-free and painless as possible — giving them the ability to see exactly what they need to do from the beginning to the end of the whole process, what’s supposed to happen and when, who’s responsible for it, when it will be finished by. All of those things can be really difficult to track if you’re not using Secureframe.
8. Can you share an example of a challenge that you helped a customer overcome in their compliance journey?
One challenge which comes to mind, which I have actually dealt with multiple times now, is that of new customers being onboarded after disengaging from another security firm that was less helpful with audit readiness and ongoing security monitoring than they had hoped or paid for. I have turned many a new customer from a skeptic into a fan of not only the Secureframe platform, but the stellar services we provide as part of the ongoing partnership.
In some of those cases, either the customer’s previous set of policies, procedures, and controls evidence was either difficult or impossible to export. In other cases, policy sets were either incomplete or not totally applicable to the new framework they were looking to achieve compliance with. In both cases, we were, as with all customers, able to provide a fresh policy set along with a list of required controls and an easy-to-navigate interface showing how those map to the various tests and where they stand in regard to audit readiness.
Oftentimes customers tell me that with their previous audit readiness provider they felt left alone with a product and nobody to show them how to use it or answer their questions. We take the opposite approach. From beginning to end, they have dedicated resources who are familiar with what the requirements call for and who know what auditors will be looking for and what the customer needs to do to ensure they are compliant.
We are there to help them make sense of their existing documentation and to formalize previously undocumented or non-standardized procedures. And then with the Secureframe platform, we turn it all into a well-oiled, security and compliance readiness and monitoring machine.
9. What’s your #1 piece of advice for people who are preparing to undergo their first compliance audit?
It’s not as scary as it seems! We’re here to help, and even though some of the requirements are complex, we make it really easy for our customers to follow it all.
10. What do you see as the biggest organizational benefit of a strong security and compliance posture?
Regardless of certifications, you’ll walk away from the process with a stronger security posture and a greater understanding of how to keep your data secure.
Certification doesn’t always mean secure, and audits don’t always catch every little thing. But with our tool, we spot every single example, not just by each control, but by every individual instance that feeds into the spirit of that control. You’ll know if something falls through the cracks so you can follow up right away. You’ll be as secure as possible by leveraging that lightspeed knowledge of when all of your security switches are flipped and when they’re not.
With Secureframe, you’ll be able to display your integrity by showing what you’re doing for your customers — and you’ll be able to sleep at night knowing that you’ve done everything you could and should based on industry-accepted standards. You’ll know without a doubt that you’ve done right by your customers by being proactive about security and partnering with us to go the extra mile.
Get compliant with expert help
Want to work with Jonathan or another member of our compliance team? Schedule a demo of Secureframe to learn more about how our platform and in-house experts make security, privacy, and compliance fast and easy.