Making security audits more like the doctor’s office is a good thing
Security certifications are table stakes for Blend. Of course, this is also true for other organizations in critical infrastructure spaces like financial services, healthcare, and government contracting. Proof of a comprehensive security compliance program is often necessary to sell your product or services, and the audits that precede certification can be costly in terms of fees, time, and lost opportunities to improve other components of your security program.
But at Blend, we’re never content to let the status quo dictate how we operate.
To improve efficiency, we challenged our security compliance team to coordinate their efforts and reduce time spent on recertification from six months to three. The results have been game-changing.
Why we treat our security audits like a trip to the doctor’s office
Obtaining security certifications every year is a full-time job (it’s my full-time job, actually). But like most jobs today, there are huge opportunities to improve the efficiency of the teams doing the work. Blend customers are regulated financial institutions and non-bank lenders that demand a high level of security diligence before partnering with us to use our Digital Lending Platform.
That makes sense: financial and personal information is sensitive. Certifications are a way for us to keep a finger on the pulse of the living organism that is our modern security program.
Let’s think about security audits like a trip to the doctor. Every year your healthcare practitioner takes you through a variety of tests meant to surface indications of serious conditions. Sometimes nothing comes up, and that’s what we hope for.
But we still answer questions with full transparency, and we hope that the person performing our assessment records the results of the tests they observe, sharing them with other experts if needed. We’d rather not go back to the doctor’s office three or four more times to go through the same tests with a different specialist.
With this model in mind, our security team wanted to provide a smooth experience when it came time to tap the auditors for security compliance recertifications last year. To do this, we coordinated with our team of independent audit professionals and internal Blend stakeholders to cover all of the security controls, with all stakeholders and auditors participating in a single and (mostly) pain-free project. No needles or coughing required.
We challenged our security compliance team to coordinate their efforts and reduce time spent on recertification from six months to three.
How we combined three security compliance audits into one
We realized that going through three separate audits for ISO, SOC 2, and PCI was no longer scalable for Blend. Each certification requires significant effort (and a lot of time) from multiple teams. We were doing duplicate work during process walkthroughs and evidence collection phases. To make matters worse, reports tended to turn up informational observations that were light on deep process improvement insights.
We hypothesized that we could get more helpful findings if we consolidated our audit engagements and adopted a unified set of tools for information management and evidence collection. Before, it was like we were going to different doctor’s offices for each vital sign measurement, and none of those offices had each other’s phone numbers to correlate results.
This time around we wanted to get the best possible information from each assessment without going through multiple engagements. To do this, we partnered with Coalfire. The firm has expertise and accreditation in each of our compliance areas and is the largest vendor of coordinated assessments across this combination of security frameworks in the world.
Coalfire tracks data and trends on these types of audits and maintains that less than 2% of its nearly 2,500 assessments in 2019 involved more than two frameworks from its services suite comprising of ISO, PCI, SOC, FISMA, FedRAMP, HIPAA, HITRUST, and privacy standards.
In other words, Blend is on the bleeding edge of compliance efficiency.
The result? Significant time savings and insightful audit guidance that prioritized a focus on high leverage program improvements over checkbox activities.
Our strategy for maximizing efficiency and impact
Our two primary levers for achieving efficiencies included a coordinated approach to fieldwork and intentional evidence consolidation. To merge our efforts around evidence collection, we utilized a single evidence collection repository with each requested item mapped across all three frameworks. Our team uploaded evidence once, to a single portal. This way, each auditor was able to formulate questions for the fieldwork phase in tandem. If there were follow-ups beyond those discussions, all involved parties were provided full context into conversations and access to newly provided artifacts.
“Through thoughtful pre-planning activities with Blend, the Coalfire audit team was able to leverage its CoalfireOneSM platform for the coordination of requests for information (RFI) across all three in-scope frameworks via a method that permitted real-time status dashboards, control assignments, and requirements mappings, as well as fluid communication between the Coalfire audit team and the Blend project team while remaining within the bounds of its accreditation,” said David Forman, Managing Principal of ISO Assurance at Coalfire.
To coordinate fieldwork, we invited all audit teams to come on-site at the same time. Meetings with subject matter experts happened one time with all interested parties in the room. At times, this was a bit hectic since each audit team approached questions from a different perspective. However, it also allowed us to get much deeper into key processes and provided the audit team with a comprehensive understanding of our program. This ultimately led to thoughtful observations and guidance that the Blend security team was excited to put into motion.
This last piece is key. Not only did we benefit from time and cost savings via our approach, but the security program actually benefited in tangible ways.
According to Forman, “Blend is a success story that demonstrates the value of an effective Information Security Management System (ISMS) when utilized to expand the audit criteria context beyond ISO 27001 as a response to the needs of internal interested parties and the requirements expected by its external customers.”
Throughout the project, we were able to work with independent experts like Forman and his team to bring multiple perspectives to our program. An effective security compliance program provides a clear view of threats and areas of control weakness, and it should always yield high leverage improvements that reduce risk to the business.
Blend is a success story that demonstrates the value of an effective Information Security Management System.
What comes next?
We were happy with the outcomes we got from our newly adopted approach to annual audits, but we are not content to rest on our laurels. Our approach yielded higher quality results for the business and provided the security team with clarity for future improvements. Along with many other in-flight security projects at Blend, we’re looking forward to:
- Developing a pipeline for filing evidence (think automated collection of vulnerability scans and access reviews)
- Continuing to automate and centralize responses to security events
- Taking a new approach to data layer access security in a container-based world
- Building even more new ways to make our security posture transparent and accessible
If those projects interest you, let us know. We love to keep in touch with ambitious thinkers and fanatical security aficionados who get things done. Check out our careers page and come help us build brighter financial futures for all.