Welcome And The Real Problem

Rob 0:00

Welcome to the Van Ryan Compliance Podcast with Rob and Don. We help growing teams reduce risks, build trust, and stay audit ready without the overwhelm. Welcome back to the Van Ryan Compliance Podcast. And today, I'm a little angry. I'm a little done. I'm a little done with fake GRCs. I'm a little done with fake trust centers. I'm a little done with a website that just has glowy little balls that says you're compliant. Because you know what? It's time to build real trust in a real trust center. And today I'm going to show you how to do that without a glowy ball GRC. We know that GRC platforms are fake. Well, at least the way most companies use them, they are. I have to say that. Because they think they're buying trust, right? They really do. But what they're really actually getting is a dashboard full of check boxes that no one believes. And in 2026, with AI, HIPAA changes coming this month, SOC2 pressures, ISO pressures, and even high trust, the checkbox compliance is dead. Finally. It's finally here. We're alive. So today we're going to break down why GRC tools are failing, why your customers don't trust your portal, and what you should do instead, right? A real trust center is backed by actual evidence. It's not backed by glowy little check balls. So let's just call it out. Let's get right to it. Most GRC platforms today look polished, have workflows, they track controls, they show green check marks, they put them at the bottom of your website and they glow and they look fancy and fun. But here's the problem. They don't prove anything. They're just another little light on the dashboard, right? There's nothing there. They are managing internal tasks, but to your customers, to your auditors, to your partners, they're asking, show me your last risk analysis. Show me your last HIPAA audit. Show me your last SOC2 readiness report. Show me your last SOC2 examination report or your ISO report. Show me your penetration test. Show me that pen test, right? Show me actually what you're gonna do. Show me your vendor oversight. Show me your real evidence. And what do you get? A portal login. A bunch of controls mapped. You might get a PDF, but you know it's gonna be a template. It's gonna be just kind of fake. That's not trust. That's compliance theater. That really is. So why is this breaking down now? It didn't matter much five years ago, right? It didn't really matter much what you did, what you had, and how you showed that. But today it does matter. It does matter because these are the three things that we're seeing in the industry and why they're shifting. First of all, HIPAA 2026 changes. This month, here May in 2026, expected to have quite a big overhaul in the security role within HIPAA compliance. Everything that was addressable is now going to become required. Therefore, you're gonna be required to adhere to that. We're gonna be required to audit to those levels, right? First up, risk analysis is mandatory and provable. You must have a report written by a third-party auditor. Hey, that's us, to go ahead and show that you've been you've been audited by a third party. Pent testing is expected and required. You must have a penetration test, you must have vulnerability scanning, and you must have that all together here within the next few months. And this is like really urgent. That's why I'm all fired up today, right? Encryption in MFA is no longer assumed. You got to show proof. How are you doing encryption and trans and data, right? How are you doing your two-factor authentication? Those are the key pieces. And vendor oversight is real now. You got to make sure that your vendors are not vendors, that they are true strategic partners to show that they care about you and they care about your environment and they care about your company. They care about the family that strapped everything together. They care about the investors, they care about the board, they care about everybody that's getting a paycheck from that organization. Those are the key pieces. You can't just document your way out of this anymore. The SOC 2 buyers are smarter. Same with the ISO buyers as wear as well. Know what a real report looks like. Ask for evidence up front and compare your vendors side by side to make sure they are a true strategic partner and not just a vendor. If they can't show it at fast, you lose the deal. Gone, right? AI risk. Oh my lord, everything's AI. Heck, I think I think the dogs buy dog food on AI now. I don't know what's going on anymore. But well, here's what I do know that AI is everywhere, right? We know this, but I want to see your data flow mapping. I want to see your tool approvals. I want to see your risk registers, and I want to see your controls tied to real usage. How are you using the AI? How are they processing the data? Where is it going? This is true visibility and not just paperwork, right? So if GRSC tools aren't enough, what do you do? What are you doing today? This is what we love to do, and this is what we tell all our clients here at Van Ryan to do is you need to build a trust center backed by real artifacts. No marketing fluff, not an ocean page, not a blinky trust center with all the little lights, not a request access black hole. That just pisses me off more than anything. Here is what you need to do. You need to go to your bottom of your website, or you know what? I'd even put it above the fold on the website. You build a trust repository, a trust document link, and you link out all of your reports. You link out your HIPAA compliance attestation report. You link out your SOC 3 report, where it does not show all of your SOC 2 evidence, right? You put a link in there together for your ISO 27,000 and one report, and same with your high trust report, be it E1, I1, or R2. Put your reports out there. Don't put your confidential information. They can contact you, but put the reports out showing the firm that audited you, putting the report together that audited you, and putting together the auditor that audited you. Put that report out there. And that way you also show the proof. And don't forget your penetration testing and your vulnerability scan executive summaries. You must have all of these summaries put together and show your people and show your teams and show your clients and show your customers and show your investors that you do this. The glowy ball means nothing to me. I want the actual report. Live risk visibility. You know what? Put your risk register up there. Yeah, I said it. Put some here's some risks and some and then here's the rewards. And then your clients can map their way and then navigate to see if you're a good fit. The vendor risk summaries and open and close risks. Make sure you track those, right? Make sure you track those for maturity and not perfection. And make sure that you know exactly what's going on in your environment. Control that evidence. Control evidence is huge. MFA enforced screenshots and logs. I'm going to go back six months. Our team is going to go back months to make sure they have you actually enforced MFA, not just on your Windows computers, your Mac computers, or anything else, but on every single platform using SSO or other or other types of authentication methods. I want to see that. I've got to see that. Your encryption proof, point-to-point, and data at rest and in transit and physical computers, phones, things in the car, stuff like that. I want to see all that. And your your tabletop exercise reports from your backup and DR test reports. Those are key. I want to see your disaster recovery testing results. I want to see that you have performed backups. I want to see that you performed restores. And I want to make sure that you actually have all that, right? Here's the policies that actually mean something. It's not a PDF of 50 pages or 100 pages and 20 pages. It's an Aacceptable Uicy. It's a security overview of your environment. It's an incident response summary. Put on your trust banner that actually shows an actual report. Put a PDF up there. Download it. Have it signed by your CISO. Have it signed by your CTO. Have it signed by your audit firm. That's what that's trust, not a glowy ball. Clear up those update cadences. Make sure those last updated dates are cleared up. Make sure your audit timelines are aligned so you don't have gaps. And you have continuous monitoring signals because that trust equals transparency over time. Those are key pieces. So let me tell you about the shift. The shift, right? The shift. The old model, let's just pass the audit. Let's do the checkboxes. Oh my gosh, I'm done. We got to get it done, right? The new model, let's prove trust continuously. Let's show the reports. Let's open the doors. Let's put everything out there so people can see and not just the glowy balls. Old model, upload evidence into a portal. Yay, I did it. Yes, you may still need to use up of a portal, but the new model is surface evidence to buyers instantly. Put it to the portal so it's secure, so your auditors can audit. Your auditors create the audit report. And then your buyers can see the evidence instantly, list it out, put the controls out, and be done. The old model, hide behind a process. Lord, that's more annoying than anything. The new model, show your security postures clearly. Make sure you're very defined in everything you do and you put everything right there, right? You know exactly where everything is. And so you know how to respond. You know how to take care of their trust because that's what it's really about. And this is where most companies are struck. They've invested$20,000,$50,000,$60,000,$70,000 a year in tools. I won't name them. You see them on the billboards, you see them in ads. They begin with V's and D's and D's again. You know that. But they also look at they've invested in workflows, they invested in assigned tasks, they've invested in AI, but still can't answer a simple question. Can you prove your security? So this is how you have to shift your world. This is how you shift your, your, your feelings and your directions on this, right? So this is what we're doing is we're actually evolving from telling our clients, hey, you don't need to look at that GRC. That doesn't work for you. You need to build a trust infrastructure. This is what's key to your business. This is what's key to ensure that you're continually growing your business. This is what's key to continually build out trust in the marketplace so that you continue to build your business. This includes real audit ready reports, governance artifacts, and testing vulnerability data, ongoing risk visibility, and all structures so you clients can ask, can you show me your security posture? Show me the documents, show me the signatures and the dates on the documents, not a glowy ball that says you're compliant because you you did a tech, a checkbox. We don't want any of that. We don't want any delays. We don't want any friction. You just say, here it is, get it done. So as you wrap up this week's podcast, here's your takeaway. GRC tools aren't bad, but they are not the end goal. And they're not what we recommend here at Van Right Compliance. If anything, they're just the back end, right? They're just a data repository. But the real product is trust. It's trust built with evidence, transparency, consistency, and not checks boxes. Actually, having a trust bar that uploads all of your documents in PDF form where your clients can get immediate access and not a link to sign an NDA. What are you hiding behind? That's BS. You need to provide the evidence immediately. And that's what we're here to help for you. This is how we help our clients. And so if you have questions on that, if you're trying to get your eye, your mind around this, right? This podcast, and really show that trust and build your business, reach out. We're here to build this for you because we're here to help you and we're here to ensure that you can build your business and you can show that trust in the workplace and in the environment and in the workplace and on all of that. We're excited to help you with that. So until next time, stay compliant, stay secure, focus forward, kids.