Facing the InfoSec Problem – and Creating the Solution – From the Inside

The concept for Compyl came from years of on-the-job experience our co-founders, Stas Bojoukha and Simon Shaddock, had while holding CISO roles for large enterprises. They continued to see the same issues surfacing when implementing information security and compliance programs. A robust program requires cost-prohibitive tooling, lengthy implementation, large teams to share the workload, and a bit of trust that the tasks are being completed on time. The “trust” aspect was regularly highlighted in audits as a deficiency. No one application represented a complete overview of an organization’s overall security posture. These security and governance gaps led Stas and Simon to create Compyl, the only all-in-one information security tool that would allow an organization to manage security and compliance workflows in a single location by leveraging integrations and automation. 

The Problem

Let’s take a deeper look at just a few of the challenges surrounding information security and compliance, and why organizations consistently struggle to maintain a suitable program. 

• Increasing threats: While potential threats have always existed, most recently, threats have become mainstream, forcing organizations to implement teams, tools, and strategies quickly to avoid significant exposure. Even with these measures taken, vulnerabilities still exist and will continue to exist until a proper continuous security and compliance program is integrated into the organization’s culture and daily workflow. 
• Expensive and Resource-heavy tools: An organization can use world-class tooling, but they are ineffective if not correctly configured, managed, or maintained. Since one piece of software doesn’t exist to provide continuous security and compliance monitoring, organizations turn to a variety of tools to bring some confidence to this confusing issue. This becomes extremely expensive and requires numerous implementations, taking up time and energy across the organization. Using multiple tools also means many long training sessions for employees. If these employees later leave the organization, they take this knowledge with them, causing new employees to go through this same lengthy and resource-heavy cycle once again. And lastly, the use of various tools tends to lack integration with one another. Though most tools can integrate within the organization’s environment to view and collect data, many don’t communicate with each other throughout the process, making it nearly impossible to know where an organization stands in real-time regarding security and compliance. 
• Lack of expertise:The need for information security professionals that organizations are searching for far exceeds the number of available experts.

The average tenure for a CSO or CISO is between 18-26 months; 24% of security leaders are in their roles for a year or less.The loss of staff diminishes institutional memory. New hires continually reinvent the wheel, creating redundancies and leaving gaps that weaken an organization’s overall security posture. All of these issues are what keep information security experts up at night. They are constantly wondering:

• Does my CEO get it? 
• Is the software configured correctly?
• Where are the security gaps?
• Do we have the right expertise in our team?
• Are we protected?
• Where do I spend my time?
• How much risk are we vulnerable to right now?

These challenges are the basis for the type of solution Stas and Simon were motivated to create. A tool that solves the real-world problems an organization deals with when facing security and compliance regulations and controls. 

A Solution for Real-World Problems

In the fall of 2017, Stas and Simon started Compyl. The all-in-one information security and compliance solution integrates into an organization, collects and evaluates their data, and automates the tasks and workflows required to maintain continuous security and compliance. Compyl becomes your go-to information security and compliance knowledge base that you can rely on to understand what is occurring within the organization at all times. It is a scalable solution that tracks your progress for reaching compliance to any desired security frameworks or regulatoryrequirements, as well as demonstrates maturity over time throughout your journey. Instead of wishful thinking that controls are in place and being properly implemented, Compyl gives you confidence with a robust security program that will evolve and adapt alongside your organization.

What makes Compyl different?

• Automation Engine:Compyl’s automation engine is at the core of everything we do. We easily tie into your organization’s systems, extract real and targeted data to display it in one location, exactly how it needs to be seen. Compyl monitors, validates, and continuously runs the easily forgotten reports and tasks, leading to significant issues and pain points down the road. We can also configure custom routine controls to capture additional data an organization may need.
• Policies, Standards, and Procedures:  An organization must follow a set of policies, standards, and procedures based on their industry, regulations, and the tech stack they use. Many businesses do not have the time to build these documents or the ability to monitor if they are being adhered to. Compyl generates all of the required policies your company must follow, assigns ownership, and allows you to track progress to avoid any organizational lapses during the onboarding process. Tasks are assigned for regular updates and are based on industry regulations or industry best practices.
• Privacy: Organizations are required to follow privacy laws and regulations (such as GDPR, CCPA, HIPAA, etc.) depending on the type of data they store to ensure it’s handled properly. Compyl generates these privacy requirements based on your company’s needs and legal requirements to ensure you are operating with the required privacy framework or regulation during the onboarding process.
• Contract Register: Securely store and monitor all contracts in one location. Once all contracts are centralized, renewal tasks and reminders are created to alert owners before a contract lapses to allow for appropriate re-negotiation time and updates to include security or compliance requirements.
• Incident Register: Centralized location to log all incidents that happen across an organization. This ensures appropriate information is collected and retained for audit purposes, triggers incident response playbooks, and helps facilitate root cause analysis as part of continuous improvement processes. This allows your business to standardize the approach and escalate each incident to the appropriate stakeholders regardless of where the incident occurred within the organization.
• Risk Register: This allows for a repository of all identified risks across an organization in a single location. This asks for all the essential information that relates to each risk that has been raised and allows for consistent risk scoring and management. Compyl then links each risk to the relevant asset, a system, category, vendor, and control to bring consistency when evaluating and presenting risks across the organization.
• IT Asset Register: Securely store information about your software and hardware that holds or processes your data and information. Your software and hardware are then scored on availability and criticality based on your organization. A compliance score can then be determined for each system based on incidents, risk, contracts, incomplete tasks or reports, and vendor assessment.
• Vendor Register: Securely stores your organization’s vendors, suppliers, and 3rd parties. The Vendor Register allows you to conduct customized or industry-based vendor assessments to understand technical and operational risk and standardize how your organization evaluates a vendor. Compyl enables complete lifecycle management of your vendors, suppliers, and 3rd parties, from contract to operational management.
• Wizard: Directs the onboarding and setup process. You will be led through a series of steps to compile and configure all of the necessary information for your organization, such as framework compliance, systems, and vendors, to start you on your Compyl transformation.
• Phishing and Training: A staple for a robust security program, security awareness training, and phishing are imperative to protecting your organization. Without it, organizations can be hacked or breached by avoidable scenarios. Compyl centralizes this training and implements it across all stakeholders to identify areas that need improvement. We can even assign specific training modules for individuals identified as higher risk or require it as part of their job function.
• The Information Security Management System – ISMS: A records management system that keeps a record of each and every task created or completed across an organization. This is a granular list of what needs to be done, who needs to do it, and when it needs to be completed. The ISMS proactively identifies each task that needs to be done to mitigate risk across the organization and satisfy all necessary regulatory frameworks. It can complete several tasks using automated methods as well as assign and manage the completion of manual tasks to assigned owners.
• Dashboarding: Provides a comprehensive view of your organization in real-time. The dashboard pulls data from reports and systems to display the information visually using graphs, charts, or metrics. Drill down on each tile based on the systems you choose to monitor, and then add or remove tiles over time as your organization priorities evolve. Access source data simply by clicking the corresponding tile.
• Reporting: Tracks progress and generate insights across your organization. This function creates and standardizes multi-level intelligent reporting at your organization’s required frequencies. Consistent reports empower your team with the information they need.

All-in-one information security and compliance solution

After four years of development and many organizations using Compyl every day we believe we have solved one of the industry’s biggest challenges. Instead of having large security teams and multiple pieces of software that don’t communicate with each other, Compyl is simple and seamless. With a robust, single pane of glass approach that is scalable and simple – your organization can finally enjoy the confidence of a proper continuous security and compliance solution.  

More Here