5 Questions to Ask Your Security and Compliance Vendor

With options for security and compliance automation booming, here are the 5 most meaningful questions you should consider before pulling the trigger on a new partnership.


"Our sales guys are pushing us to become compliant in order to close this major deal, and so we just need to become compliant as fast as possible. We don't have a dedicated security team at the moment, and so while we care about security, we just can't dedicate the resources to it right now. We're looking for one tool that can rush an audit for the sales guys, manage those audits for our makeshift compliance people, and provide awesome security monitoring for our non-specialist engineers." This is what we hear every day at VGS.

The market for automated compliance tools is heating up: many organizations are receiving funding, and even AWS launched their own makeshift compliance manager. Here are the five questions you should ask of any compliance tool or consultant:

  • Will I decrease my time to complete an audit?

  • Will this investment help improve my actual security?

  • Will my company save hiring dollars?

  • Will I learn not just what to do, but how to do it?

  • Is my security tool secure?

Security in the long-term

The below 5 questions to ask your compliance vendor come from our experience helping hundreds of clients successfully meet, obtain, and maintain compliance standards. VGS was created five years ago to enable customers to use sensitive data without any of the drawbacks, one of the main ones being compliance. Over those five years we've worked with numerous clients to help them achieve compliances, and seen the wins and losses that can come from security tooling.

Will I decrease my time to complete an audit?

At the end of the day, you're probably looking for a compliance automation tool to decrease your time to audit and close a major deal. There are two major mistakes companies looking for quick compliance make: signing up with glorified spreadsheets and using shoddy auditors. On the one side, a glorified checklist will help you organize the work, but not do any of the work for you. These sorts of tools are like GRC tools, which are great at organizing work, but not at doing it. At the end of the day, a tool should do everything for you, not merely help you assign tasks. Too many tools claim to be "Compliance Automation," but really just offer a spreadsheet and dropbox that you could manage better in Jira and GDrive.

On the other hand, some vendors will promise a lightning fast audit, but provide little value to your customers who are savvy enough to ask who your auditor is. Remember that your auditor wants you to pass, and so part of what you're paying for is the prestige and industry reputation of the auditor. We commonly work with auditors like Armanino for this reason: they provide better than "Big 4" levels of value, at a price that makes more sense for startups. Because of automation, we're able to provide ultra-fast audits without resorting to "Joe's Audit Shack."

Will this investment help improve my actual security?

VGS is a company filled with security, devops, and software engineers. As engineers first, there's nothing that frustrates us more than security theater. The complete lack of real security in so called "Automated Compliance Tools" is what inspired us to enter the market. When you're in the middle of trying to close a major deal, achieving the audit might seem like the only thing that matters, but you should also consider the real security of your business. Too many tools are positioned to offer you the bare minimum to pass an audit, but as your business grows, you will have invested time and energy into technical debt, an engineer's worst nightmare. Ask yourself the questions: Will I still be using this tool in 10 years? Will my security engineer also find this tool useful? Is this tool actually helping me secure my customer's data, or is only helping me check a box? We made Control because we wanted a tool that could both achieve your audit fast, and provide long term, meaningful security.

Will my company save hiring dollars?

With great tooling comes great responsibility. Businesses often overlook the hidden cost of additional hires to manage new tools. Cloud centric tools can often promise automation while really requiring additional hires to monitor their alerts, deploy new content, or manage databases. When you're demoing a Compliance Automation Platform, consider if you will need dedicated hires to manage this tool, or if it can be done realistically by existing staff. With Control, we've seen numerous small teams pass their SOC 2 audit within a couple of weeks, with no additional hires being necessary. How much is the tool doing for you, versus generating additional work? Ultimately, a compliance platform should remove the need to hire compliance and security people, not create it.

Will I learn not just what to do, but how to do it?

One of the things Compliance Automation vendors love is hidden costs. Usually, their quote intentionally hides what's needed to pass an audit. You don't just need the spreadsheet of what to do, but to actually do it, you will need an auditor, penetration tester, and consulting on security policies and technical implementations. It's important that your vendor be honest and upfront about what a full engagement with them will look like. Find out exactly how you will be passing the audit, what the level of engagement will be like, and how you will get a penetration test done. Additionally, see what they charge for consulting, and the value of that consulting. Is your CISO as a service really just guy in a call center? Or maybe even a bot that's suggesting policies?

Is my security tool secure?

The security of the compliance automation tool itself is the most overlooked aspect we see in tool comparisons. As part of an audit, you're uploading your most secure data, and integrating your production assets into a tool that's usually developed by just a few people. During the demo, ask how your data is being secured and how your access keys are being protected. At VGS, we use our same data aliasing techniques internally to mask your access credentials, so even if Control got hacked (it won't), your business would be completely safe. That's a promise we guarantee other companies can't make. We're a security first company, and so we're not playing fast and loose with your production critical data.

One stop, from day one

We care about real, transparent, and meaningful security, not security theater or checking some boxes. At VGS, we're your partner in security, compliance, and data privacy. We are a leading security company because of our commitment to providing solutions for complex technical tasks. Control works best when it's paired with the VGS Vault. With VGS Vault, you can alias any sensitive information your startup touches, allowing you to focus on development instead of data privacy. With Vault + Control, your startup will be your startup will be secure from the ground up, ready to tackle any developing compliance frameworks you may need. Use VGS Vault to de-risk and pump value into your sensitive data, and use Control to prove your security posture to the world.

“We're able to provide ultra-fast audits without resorting to Joe's Audit Shack, or skipping real security.”

Get started with the Security Foundations Control Collection and start securing your business today. Getting started now will save you untold amounts of time and money in the future. Start today and get compliant in as little as three weeks.

  • Prescriptive Tasks so you know where to start.

  • Cloud infrastructure and SaaS security scanning.

  • Automated security policy creation.

  • Automated evidence collection for future audits.

Get it done

Sign up for a free account today

Sign up today to receive the Security Foundations Controls Collection and begin your compliance journey now.

Start for free