Troy Fine is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. He is the Senior Manager of Cybersecurity Risk Management and Compliance at Drata. Troy joins Tom to talk about data security, data protection, and risk management.



Internal and External Auditing

Auditing is external and internal. External auditing entails third parties coming in to assess a company’s controls, security frameworks, and determining if they meet compliance requirements. Internal auditing involves people who work directly for the company they are assessing. They are a lot more involved with the business, and understand the requirements of the business better, so they take a more collaborative approach. Internal audit identifies the gaps within the organization, so the business can remedy them quickly, and so that the business can be prepared for an external audit. Troy points out that sometimes internal audit would assist external audit, with external audit relying on the testing that internal already performed. 


How Drata Scales Your Company

Integrity and trust are the core ethos of Drata. “We built this product so that our customers can prove to their customers that they could have trust in their data security,” Troy tells Tom. Currently, the company has over fifty integrations that they can pull data and test from, as well as many new frameworks. What this means is that as Drata’s customers get their own customers and more requests for compliance, Drata will be able to support them through additional controls. Customers and clients are able to create a more secure environment in their organizations and meet their compliance standards at the same time. Drata allows customers to manage their control environment via continuous monitoring. When an auditor comes in to assess, they can see the control operated over a long period of time.


Assessing Third-Party Risk

Within the Drata platform, there is a vendor management page where customers can start monitoring their vendors. Customers can rank them from low to medium to high risk. For medium- and high-risk vendors, customers can log and track how well those vendors are meeting security requirements. “Part of our control testing is to check if the customer is monitoring their vendors appropriately,” Troy remarks. “We want to make sure they’re also monitoring their vendors, so we provide them a template that allows them to make sure that we’re viewing the SOC 2 reports appropriately, and identifying any risk or end-user controls that they need to perform.”


Zero Trust

Tom asks Troy what companies need to be thinking about in terms of cybersecurity in the coming years. “A big area to focus on is going to be this idea of Zero Trust,” Troy says. A greater emphasis on verification, based on location, customer behavior, or just a change in general, is going to be seen in the not too distant future. “As the workforce becomes more remote, the idea that somebody behind the keyboard is not the same person that was in your office is becoming a bigger question,” he adds. Implementing Zero Trust frameworks is going to become more important.



Troy Fine | LinkedIn