Compliance is hard and time-consuming
SOC2 compliance is even more challenging, especially when you're a small team that moves at lightning speed. In such teams, compliance can feel like bureaucracy, and bureaucracy can feel like a roadblock to an agile team.
Teams, especially small, nimble, talented ones, need to “own” a security posture. The first thing we did at OpenBB was initiate a grassroots movement called "The Security Cult," where we took an oath and began and ended each meeting with the phrase "Blessings and Firewalls."
Embracing a security posture is one thing, obtaining SOC2 compliance as a fledgling startup is another. We work with large companies with hefty compliance departments, so managing internal and vendor policies and procedures is critical.
Compliance can be automated
When you’re responsible for compliance, security, and regulatory matters, a huge part of the job is working with documents. Policies, security reviews, and technical controls all mean one thing: tons of reading.
On any given day, I juggle policies I write or help colleagues develop, implement security controls, both technical and non-technical, and dive into security reviews.
Our vendors, like AWS and GitHub, provide tools that help with vulnerability management, and Vanta collects everything into a neat interface. But when it comes to working through documents, no tool has helped me more than OpenBB.
OpenBB, with its AI Copilot, has become my go-to for automating compliance work.
One of the game-changers here is the Bring Your Own Data feature, which lets me upload documents directly into the OpenBB. I’ve got a whole folder structure in place: a Compliance folder, with subfolders like Questionnaires. When I start a new review, I create a dashboard for the vendor I’m evaluating and load up their SOC2 reports, data policies, pen test results, and everything they send over.
Now, working with documents like these can be a real pain.
Picture this: I’m sitting with a 172-page SOC2 report, a 30-page data policy, and maybe another 50 pages of pen test results and something else. That’s over 250 pages of dense information to sift through, and reading it all would take hours. But that’s where Copilot steps in.
How OpenBB Copilot simplifies compliance
Once I upload all those documents, I open Copilot and get to work. Copilot has this great feature that allows me to add and remove documents from the context of our conversation on the fly. Here’s how that looks in practice:
I start with the SOC2 report. I ask Copilot questions about the report: specific, detailed questions about controls, vulnerabilities, or whatever else I need. Copilot reads the report and gives me answers, with page references to the exact spots where the information is found. I can click through those pages to double-check the details or uncover extra insights that might help me make better decisions.
When I’m done with the SOC2 report, I remove it from the context and switch to the Data Policy. Now, Copilot focuses only on that document, giving me answers directly related to what’s in the policy, with the same kind of direct page references. This approach helps me stay on track without getting bogged down in irrelevant details from other documents.
I keep repeating this process with each document I’ve got, one by one. Copilot and I build out the context together, shaping the conversation until I have all the information I need.
From context to summary
Once everything is in place, I ask Copilot to summarize the entire conversation. The summary becomes the foundation of my final review, which I then edit into the polished version I send out. This workflow not only speeds up the process dramatically but also ensures that I have a complete, well-structured review based on every document I’ve analyzed.
The bottom line
Using OpenBB with Copilot has saved me hours. Hours I now spend on other equally important tasks. For a small, agile team like ours, that kind of efficiency is invaluable. Not only is it convenient, but it allows me to do critical security work without sacrificing time for the rest of my responsibilities.