For data sharing company Data Republic, security is critical to the product, and compliance is critical to the product growth. Data Republic provides a secure data sharing solution that helps companies unleash the power of data-driven innovation. They help hundreds of companies find value by combining their data with other sources of data and providing governed data access to external innovators, all while putting privacy and security at the forefront of their solution.
Richard Lane is the Head of Security and Risk at Data Republic. He is a one man team that manages security, risk management, security operations, and on top of all that he is also responsible for proving their security through compliance. The company is growing and as they gained more customers and prospects more opportunities were asking for proof of Data Republic’s security posture. Data Republic had invested in penetration testing, but customers were demanding compliance certifications; “Customers view compliance certifications as table stakes now, and required them in contracts to close deals,” Richard noted.
Data Republic had customer obligations and deals to close which meant a short time frame to achieve their compliance certifications. Richard had prepared for and ran audits before, sometimes with spreadsheets and docs, other times with expensive enterprise GRC software. He knew that as a one man team he wasn’t going to be able to do the audit successfully, and on time, without an intelligent tool to help him. After a thorough review of the GRC platform landscape he chose Aptible to help him, primarily because of the automations.
“Comply radically simplifies things from generating a policy manual to automating evidence collection to audits”
Being a cloud native solution since day 1, Data Republic got a lot of value out of the AWS integration so they could automate asset inventories, evidence collection, and issue detection. After setting up their AWS integration, Comply was able to identify services in use that the engineering team had not mentioned were used, allowing Richard to monitor and prove security for all of their resources. They also integrated JAMF, G Suite, and GitHub to stream in assets and evidence from each of those services. Thanks to compliance automations Data Republic was able to “go from scratch to ISO in just 6 weeks” according to Richard, with zero non-conformances or opportunities for improvement.
Despite being, essentially, a compliance team of one, Richard is able to use Comply to manage compliance and his other responsibilities. He is able to scale with technology instead of scaling the team.
“The automations I get today would take a developer 6+ months to do, and using Comply is like having another half-FTE compliance team member just to do audit-prep.”
It wasn’t just Richard who found the value in Comply, Data Republic’s auditors also found that Comply made their job easier resulting in faster and cheaper audits. One auditor claimed that the audit took half the amount of time expected, while another auditor noted that using their existing ISO 27001 evidence for SOC 2 would allow them to immediately avoid 25% of the document requests in that audit. One auditor provided a 10% discount based on the automations and the ease they experienced.
With the audits behind him, Richard is looking forward to implementing more of the automation functionality in Comply. He is looking forward to integrating his HR tool as the source of truth for his people assets so he can automate user access reviews. “That’s a permanent task that is normally spread out across 6-10 people which I’m looking forward to no longer doing.”
Comply helped Richard establish a policy manual, automate difficult compliance management tasks, and quickly achieve his compliance certifications. If you’re looking to automate compliance management and achieve compliance certifications like Richard, see how Comply can help you.