Ask the Compliance Expert: 10 Questions with Rob Gutierrez, CISA, CSSK
When working with a compliance automation company to enhance your security and privacy posture, you may have technical questions about an upcoming audit or want to talk through a specific framework requirement.
In that case, you don't want a chatbot that regurgitates standard responses or informs you that someone from the team will be in touch. You want to be able to connect directly to a compliance expert. One that actually knows your name and can answer questions about your unique environment.
At Secureframe, we understand the value of having an expert in your corner throughout the entire compliance process. It’s why we assign every customer a former auditor to support them at every step. And it’s why we’re launching a new webinar series — Secureframe Office Hours | Ask an Expert. It’s an open opportunity for anyone to join a member of our team of in-house security and compliance experts for a live Q&A.
For our first Secureframe Office Hours, certified information security specialist and former auditor Rob Gutierrez will share his advice for simplifying the security certification process. Check out the webinar recap, and keep reading below to get to know Rob.
1. Can you tell us about your background and previous work experience? How long have you been in the security and compliance industry?
I’m originally from the DC area, which I think is part of how I ended up here, actually. After graduating from Penn State with a major in Supply Chain & Information Systems, I got an offer from KPMG and ended up returning home to DC. Being in the nation’s capital, it’s no surprise I landed in federal IT.
My first audit was a financial statement audit for the US Department of Labor. I was with KPMG for 4.5 years as a federal external auditor, audit readiness consultant, and supply chain consultant. I did FSA and FISMA audits with various small and large government agencies, and I also did some audit readiness work.
Then I spent nearly two years with Coalfire as a FedRAMP auditor, working with industry-leading tech companies. I’ve been in the security and compliance industry for more than six years now.
2. What is your area/framework of specialization?
Based on my background and experience, my specialization is the federal space: NIST and FedRAMP. Now working with Secureframe, I’ve mastered many more frameworks including SOC 2. I’ve lost count of the number of customers I’ve helped achieve SOC 2 Type I and Type II.
I’ve now become very familiar with all of our frameworks. Most frameworks, including their controls and concepts, are fairly similar, they just have different nuances. It’s like learning different romance languages. If you’re fluent in Spanish, Portuguese and Italian tend to be easier to pick up because they all come from the same family tree. With SOC 2, ISO, HIPAA — the concepts and best practices are the same, but the requirements vary.
3. What excites you most about the security and privacy compliance industry?
As a former auditor, compliance automation is the future and Secureframe’s industry-leading approach and platform are changing the audit industry.
Historically, audits have been manual, time-consuming, labor-intensive, and frustrating. Most audits are a glorified paperwork exercise designed to ascertain one thing: whether someone is doing what they’re supposed to be doing. Audits should be automated, and it’s exciting to be on the cutting edge of the industry’s future.
4. What’s a common misconception people have about security and privacy compliance?
People find it much more daunting than it is. Due to a lack of knowledge, familiarity, and comfort with compliance and its frameworks, people think security and privacy compliance are a much bigger challenge than they are — especially with SOC 2 where requirements can be more flexible and not as straightforward as other frameworks.
That’s another misconception — oftentimes clients want to be told there’s one way to meet a requirement, especially with SOC 2. But there’s no one-size-fits-all for compliance. We work with customers to figure out the best way for them to get and stay compliant, looking at different controls and systems. Even auditors know that there are multiple ways to meet requirements depending on your unique environment and situation. What’s your justification for doing something? If you use the right logic and are risk averse, it’s probably ok for your system, security, and compliance.
5. Why did you choose to work for Secureframe?
I’ve always been interested in compliance, but I’m passionate about the problem we’re solving at Secureframe. Compliance automation is the future, and this was a chance to be part of something special that will positively impact how business is done around the world.
Ultimately though, it’s the people that sold me on joining Secureframe. From my very first interview, everyone that I’ve worked with has been genuine, caring, hardworking, smart, and passionate about what we do. They see the vision and the goal, and we’re all in it together with our customers to help them be successful — their success is our success.
6. What’s your role in the compliance process for customers?
If the customer needs help from the jump, we’re there to help them determine what they need to do for that first step in their compliance journey. Or maybe they’re in a rush because a deal is on the line and they need to get a certification done in six weeks. It depends on the customer’s needs, but that’s what’s awesome about our team. We step in anywhere, anytime. Our sales team sells a personalized customer experience, and between the compliance and the customer success teams, we execute on that with passion and pride.
We genuinely care about our customers. When we see them stressed, we want to help them feel confident. When they have a question, we want to provide an expert answer. And if they have an issue, how can we take their feedback and make our product and customer experience better? We’re always working to improve our product and our methodology for our customers.
7. What pain points are you passionate about solving for customers?
Aside from saving time and manual effort for customers, my favorite pain point to fix for clients is giving them assurance for their audit and relieving their stress. Oftentimes customers don’t know what's required for compliance or if what they’re doing is sufficient, and this can be stressful. I enjoy talking through their questions and concerns to make sure they know that what they’re doing will help them achieve compliance.
8. Can you share an example of a challenge that you helped a customer overcome in their compliance journey?
Some clients are very overwhelmed. One in particular needed certification in six weeks, and they were starting at ground zero. They were in a rush and they felt lost. Another customer that comes to mind is one that I helped get compliant with SOC 2 and HIPAA at the same time.
By making compliance a clear process, I was able to alleviate their stress and get both companies on the right path. They both got their certificates and were really happy. I’m not just helping them get a report, I’m making their lives easier and giving them peace of mind. It’s important that our customers feel that sense of trust and accountability.
9. What’s your #1 piece of advice for people who are preparing to undergo their first compliance audit?
That’s tricky because it’s different for everyone. Each one of our clients is dealing with different customer expectations, different resources, different systems. I would say, generally speaking, start with policies. Policies set the groundwork for everything. Make sure your policies match your processes and vice versa — at the end of the day, that’s what your auditor is looking for and attesting to.
Another piece of advice is don’t get too stressed about compliance. So many companies know they need to be compliant or achieve a certain certification, but they don’t know what it takes or where to start. Work with Secureframe — we’ll make it as fast and easy as possible and ensure you get the certification or report you’re looking for.
10. What do you see as the biggest organizational benefit of a strong security and privacy compliance posture?
Peace of mind. It takes 7 years to build your reputation and 7 seconds to lose it. Hacks and breaches happen in the blink of an eye — you don’t want to lose everything you’ve worked hard to build as the result of a preventable breach.
By prioritizing security, privacy, and compliance, you know that your data is safe and your organization is doing everything it’s supposed to be doing to safeguard against a breach.