Travis Good, MD

“How long does it take to be HIPAA compliant?” It’s a strange question. 🤔 More accurately, how long does it take to do all the things to comply with HIPAA. If you’re a small company, it’s def possible to be compliant with HIPAA fast, in just a few weeks. This is mostly policy and risk management work. One caveat, in that time you likely won’t have implemented or done everything in your policies. You’ll have committed yourself to doing them at some point and cadence. #hipaa

There’s a lot of people talking about the loss of value and credibility of SOC 2. And a lot of blame thrown around at audit firms, the AICPA, companies that demand SOC 2 from their vendors, GRC platforms, on and on. I always see some variation of this in the comments of these posts: “Audit firms have reputations, and a few carry bad ones. Those in the industry know which firms these are.” If it’s all about reputation, and we (“we” here being those in the audit and compliance industry), know what audit firms have bad reputations, what role does the AICPA have to play? Why does being AICPA accredited matter if the AICPA accredits bad firms? I get that the AICPA manages the actual SOC framework but there’s nothing special or uniquely valuable about the framework.

I’ve been thinking a lot about how 2025 will redefine the trust for AI vendors. We're seeing way more scrutiny for these AI vendors, this is driving demand for trust programs specifically geared towards AI. Here's what I'm seeing: 🔍 Increased Scrutiny: buyers are demanding more from AI vendors, with a focus on ethical and responsible AI practices. 💪 Trust Programs: companies are proactively developing trust programs tailored to their AI usage. 🧓 Mature AI Management Systems (AIMS): As more companies build these programs, having a mature and audited AIMS will become a requirement. Whether you own the models or are leveraging models from 3rd parties, now’s a good time to be thinking about building out an AIMS.

Should you have every piece of evidence an auditor asks you for? Not necessarily. You may have compensating controls or alternative evidence that addresses the underlying evidence the auditor is seeking. You know your company, tech, and operations best. Don’t be afraid to ask questions, get clarifications, or push back.

In Austin this week for our first Workstreet quarterly team onsite. We got a small group together to plan for Q1 and the rest of 2025. We’ve grown to over 50 people and 100s of active customers across North America, Europe, Asia, and Latin America. And we’re planning for 2025 to be a big year! In Austin, aside from covering a lot of internal, ops-focused stuff, I’m excited about new and expanded partners, new services, and new GTM offerings and motions: ⁉️ Security questionnaires service ☁️ Cloud Security Engineering 🧑‍🤝‍🧑 Privacy Ops 🏛️ Government / NIST / CMMC 🦙 💜 Vanta VIP and Spark Programs - new and expanded special offerings for the Vanta ecosystem to accelerate onboarding, ROI, and trust.

"Describe your logging capabilities for the applications/systems/hosts and network where Company_Name data will be posted sufficient to determine the root cause of a security incident? If so, are *these following logged, reviewed and audited?" 🦄 Company_Name = VC-backed IPO tech brand we all know. How can questionnaires be this bad? I get language barriers but this feels like badly one-sided as companies spend tons and time and resolves filling out what seem like hastily created questions.. Companies, in both sides of this vendor review process, spend lots of money and resources on this.

One of the first questions I ask people about security and compliance plans, whether they’re just starting out or expanding, is: What worries you the most about this? 🤔 At least 90% tell me their biggest fear is not having enough resources to achieve their target outcomes, be it an external audit or improving security posture (my words, not theirs). The simple response? Tailor your compliance program to fit your company. This means aligning it with your technical and ops resources, and your budget constraints. I often tell people “don’t overthink it”. Build a program that suits your company, market, stage, and risk. Having gone through this process at my own companies and guiding hundreds of other companies through Workstreet, I’ve learned that overthinking is the best way to stall out. It’s not about doing everything. It’s about right-sizing the things you do to your company.

🪲 Bug bounty programs? 🤔 Lately, I've been asked a lot about bug bounty programs. For some of our clients, setting up and managing these programs is a no-brainer. They see it as a proactive step to find vulnerabilities. On the flip side, other clients are skeptical to totally against them, believing that bug bounties might be scams that bring unnecessary risk and liability. In some cases I’ve seen, programs are a "CYA" only to document and handle reported bugs diligently Are bug bounties a thing you need, maybe at a certain scale, or do you avoid them? #BugBounty