Grand Rounds VP InfoSec: Achieving SOC 2 Type II Compliance with Hacker-Powered Security

Grand Rounds is a new kind of healthcare company that makes it easy for people to get access to high-quality care. For Steve Shead, their VP of InfoSec & IT, the need to innovate is a natural fit with the constraints of a highly-regulated industry. And while pen tests are required for compliance, Steve needed scalable, real-time testing for SOC2 compliance. 

So they moved to hacker-powered security to find more bugs in more places. HackerOne Compliance specifically focuses researchers on finding vulnerabilities defined by the OWASP Top 10 to ensure broad coverage of the most common types of vulnerabilities, and that gives Grand Rounds peace of mind and maintains security as a strategic imperative.

Using HackerOne is so easy, Steve describes it as “see, fire, forget.” Now his team can stay focused on making their technology more secure while HackerOne does the heavy lifting. But it’s not just the speed that makes HackerOne so appealing: Forrester calculates a savings of more than $500,000 across three years compared to traditional pen testing.

Read on to learn how Steve uses HackerOne Compliance.

Tell us a bit about Grand Rounds and why security and compliance is so important for your business?
Security is a strategic pillar to the business as defined by Senior Leadership.  It’s not just a necessity for doing business – think HIPAA / SOC 2 etc, it’s a necessity to protect our patients’ data.  We take this personally and are passionate about protecting our patients’ data.  Important to the business? Absolutely!  Important to our patients? Vital…
 
What do you look for from your penetration testing partners? What led you to make the decision to utilize hacker-powered security for your SOC 2 Type II compliance needs? 
Testing becomes routine – routine becomes predictable – predictable incites risk.  Hackers aren’t predictable – you can’t constrain them (outside of rules of engagement), you get the benefit of folks looking under rocks you didn’t know existed, and they find issues you didn’t know you should be looking for.  That’s proven time and again in ongoing testing.

Any tips for our readers on effectively partnering with auditors?
Security and compliance should work hand in hand to be effective. Choose a firm aligned with your level of maturity in audit, compliance and security.  Align your controls and grow the program.  Maturity comes with perseverance and practice.

Any automation you can introduce is a boon.  Using third parties to do testing is also a more trusted method since it’s an impartial viewpoint, even more so (to my mind) when using actual hackers.

Outside of the initial setup (which was easy) – it’s “see, fire, forget” – the HackerOne team do the heavy lifting – we verify and confirm.  Doesn’t get any easier than that.

Do you have any advice for others that are looking to partner with their Audit and Compliance departments to achieve business and security goals? How can security leaders help drive differentiation through collaboration and knowledge sharing with these core partners?
Audit and compliance set the bar that security needs to hit.  The bargain then becomes satisfying the control or compensating the control.  Since the assumption is that audit and compliance set a high bar, and security is anal about doing the right thing, your standard is automatically going to be higher than most.  If there’s contention it’s not going to function effectively.  Therefore, the final part is, if you don’t have the right butts in seats you're destined for mediocrity.

Anything else you’d like to add?
The way the battle is won is not always thinking in terms of programs and posture, it’s mixing first principles thinking with hacker mentality.  You won’t outwit the hackers but you can certainly take advantage of their skills.  Mix that with a passionate team and a mature program and you’re well on the way.  The glue is the symbiotic relationship that audit, compliance and security build and maintain.