650 ComplianceAid: Streamlining Compliance Documentation
This episode of the IT Business Podcast features an interview with Randy Blasik and Mark Heather, co-founders of ComplianceAid.com, a startup participating in the 2024 PitchIT accelerator program organized by ConnectWise. ComplianceAid offers an AI-driven cybersecurity compliance platform that aims to simplify the compliance process for MSPs and their clients. The founders discuss the platform's capabilities, including automatically generating compliance documentation, aligning existing documentation with compliance frameworks, and conducting assessments using AI auditors.
Episode Sponsor: Thread (www.getthread.com)
===
ComplianceAid is an AI-driven, multilingual cybersecurity compliance platform designed to assist MSPs in offering compliance services to their clients. The platform utilizes a team of AI agents that act as virtual auditors, reading and aligning clients' existing documentation with compliance controls and generating context-enriched policies and procedures.
The founders highlight the platform's ability to save time and resources for MSPs by automating the compliance assessment process. Instead of relying on expensive human auditors, ComplianceAid's AI auditors can assess compliance for all clients within a short timeframe, enabling MSPs to offer compliance services at a profitable rate.
ComplianceAid offers flexibility in its service delivery model, allowing MSPs to either use the platform directly or have ComplianceAid handle the entire compliance assessment process. The platform supports various compliance frameworks, including NIST Cybersecurity Framework, HIPAA, and HITRUST, and can integrate with other systems through APIs or copy-paste functionality.
The founders emphasize the platform's agility in adapting to new generative AI technologies and its multimodal capabilities, enabling it to understand and interpret graphs and images within documents.
Key Takeaways:
- ComplianceAid offers an AI-driven cybersecurity compliance platform for MSPs.
- The platform automates compliance documentation generation and assessment processes.
- It saves time and resources by replacing or augmenting human auditors with AI auditors.
- MSPs can offer compliance services to all clients cost-effectively using ComplianceAid.
- The platform supports various compliance frameworks and can integrate with other systems.
Links from the show
- Website: https://www.thecomplianceaide.com/
=== Show Information
Website: https://www.itbusinesspodcast.com/
Host: Marvin Bee
Uncle Marv’s Amazon Store: https://amzn.to/3EiyKoZ
Become a monthly supporter: https://www.patreon.com/join/itbusinesspodcast?
One-Time Donation: https://www.buymeacoffee.com/unclemarv
=== Music:
Song: Upbeat & Fun Sports Rock Logo
Author: AlexanderRufire
License Code: 7X9F52DNML - Date: January 1st, 2024
(0:02 - 1:06)
The podcast you are about to hear is a vendor profile episode for Pitch It, an annual startup competition and accelerator program organized by IT Nation, a ConnectWise community. This year, 26 companies from 7 different countries have been selected to participate. Companies go through a 16-week business transformation course led by industry experts and ConnectWise leaders.
After the 16 weeks, each company will be required to complete a virtual pitch. From that, judges will select three finalists to present their pitch live at IT Nation Connect in November. The first-place winner receives $70,000, second-place winner receives $30,000, third place a set of steak knives.
This episode is presented by Thread, last year's Pitch It winner. Thread's mission is to help IT service providers deliver service magic. Visit them at ITBusinessPodcast.com slash Thread.
(1:16 - 1:39)
Hello, friends. Uncle Marv here with another episode of the IT Business Podcast and we are at the start of Pitch It season 2024. This is the first of our vendor spotlights and this will be culminating at IT Nation in November where the Pitch It winner will be crowned.
(1:39 - 2:07)
But between now and then, I will be featuring all of the potential contestants on the show here and from time to time, we'll have Shawn Lardo come on and talk about the progress and how things are going. But each of these are going to be just quick hits with each of the vendors. They'll do a little bit of a pitch here, explain their company, and hopefully you'll get a chance to learn more about them before November.
(2:08 - 2:41)
So today, we have the ComplianceAid.com website focused on simplifying cybersecurity and it aims to bridge the gap by offering a comprehensive platform that utilizes AI technology. And to help us go through and understand that, Randy Blasik, founder of the ComplianceAid. Randy, how are you? Hey, Marv.
How are you? I am good. So how correct was I in the explanation of the ComplianceAid? You were pretty correct. You did a great job.
(2:41 - 8:04)
Okay. Why don't you kind of help fill in the gaps and give everybody a quick idea of what you do and how things are going. Sure.
I'm here with my co-founder, Mark Heather, by the way. Mark is all the way across the pond from the UK, but I'm also here in the US. So in terms of what we're doing, pretty simple.
We're an AI-driven, multilingual cybersecurity compliance platform. So what we're going to do for MSPs is we're going to enable a new service offering for them using a team of AI agents that act as that MSP's compliance auditing team. Interesting.
So what kind of makes this different than all of the other platforms that say they'll give us a checklist and give us easy ways to go in and make sure we're checking all the boxes? Yeah. So this is going to actually read the client's existing documentation like a real cybersecurity auditor would. And then it's going to align that documentation automatically to all of the required compliance controls.
And then, I don't know about you, Mark, but when I ran an MSP, we always had trouble trying to hire auditors or keep auditors on staff. They were always expensive and the turnover rate, we would lose them almost as quick as we got them. So using generative AI in this space to not only read and align the controls, but also to give its assessment of the control coverage, I think is helpful to MSPs, especially ones who maybe need human auditors, for example.
We could sort of replace or augment that with some of our generative AI services. All right. So to answer part of your first statement there, hiring auditors.
Yeah, we didn't do that. We would just work with the customer to answer the questions as best as possible and have them submit it to wherever it needed to go. And then that's how we got it back.
But let me ask this question, because part of what you're saying is we would provide the existing documentation that the customer had. What if they don't have any documentation? Yeah. So a lot of customers don't.
And that's where we sort of struggle or we struggle as MSP was writing all of those documents. So like you take the NIST cybersecurity framework, for example, which most of your customers probably need, most of mine need it. Yeah.
So there's like 15 policies and procedures that you could write as part of a NIST cybersecurity framework engagement. Our platform will do that automatically. It'll generate, we'll call it context-enriched documents based on any information they provide.
So if they don't provide very good information, the templates, while they'll be tailored to the customer, they're not going to really have a lot of detail. As the customer or client goes through and they become more mature with their security compliance, the data that you provide to our generative AI team will allow for more enriched policies and procedures, basically making it so that humans really just need to read the policies and procedures that are generated by the AI and lightly update them. But quite frankly, the work is all pretty much done by the AI team and the compliance service offering.
All right. Now, is this something that we as the MSP would have to upload on behalf of the customer or do we give them a link for them to do it on their own? How does that process work? Great question. So we want to be flexible when we work with our MSP partners.
And we know that everybody has a different engagement path with all their customers. So we allow both. We can give the MSP our tool, which is a simple to use web interface, and they can create all of the documents and do all of the alignments and assessments all pretty much on their own.
It's easy enough to give to their customer. Or we can just straight up do it for the MSP. We can receive all of the client's documentation and we can basically run our own web user interface, do the full cybersecurity assessment like a real auditor would, and then give the MSP back a spreadsheet with all of their compliance requirements and then all of their policies and procedures, just like a real auditor would.
So we have three different methods for it. Okay. And then if it comes time to do an annual recheck or a second risk assessment, all of that stuff I'm assuming is already there and can be updated or just simply reapplied? Does that sound right? Yeah.
And yeah, that's exactly it. And then the cool thing with us is because we're not using humans, we can do these rechecks pretty much overnight. So it's basically the equivalent of like a month's worth of work where we review everything pretty much overnight.
(8:06 - 10:05)
Nice. So I can understand that it makes the documentation part easy, but in terms of time, how does this free us up as MSPs to make it more efficient and cost-effective? And we're not going to talk price, but I'm assuming there's got to be a way for us to make some money in this. Oh, yeah.
So we want to split the revenue 100% with our partners. So we'll just leave it at that there. But in terms of time savings, so let me give you a perfect example.
Let's just say you're an average-sized MSP, you've got about 100 customers. Today, you could not assess all of those customers' cybersecurity compliance towards, say, the NIST cybersecurity framework. You couldn't do that.
You don't have enough humans to do that. With us, what you could do is you could build a new program to assess them to NIST cybersecurity framework, all 100-plus controls overnight, and bill them a small nominal fee, every single one of them, and have them all done within a 90-day period because we do them so quick. So in terms of time, there's really not a lot of time the MSP needs to spend when you're doing a compliance assessment with us.
You basically just collect some best documentation that the client has, if they have anything at all, give it to us. We literally reply back with a full NIST cybersecurity framework assessment and 15-plus policies and procedures back to them, and we can do that for every single one of your customers. Interesting.
Very nice. Let me go back and ask some basic questions about the company. When did you guys get started? August 2023 is when we got started.
(10:06 - 10:44)
All right. And how many MSPs do you estimate that you're working with already? Sure. So remember, we're a startup.
We've spent a lot of time working with industry experts certifying that our AI responses for our assessments are accurate for the industry. So right now, we've got a very large North American-based healthcare compliance auditing firm that does auditing for HIPAA and HITRUST. It's the Cybersecurity Compliance Assessment.
(10:46 - 11:16)
They've certified our responses, and we're working with them to do HITRUST assessments. Okay. The reason I was asking that question, I was trying to get an idea of how many documents that you've gotten from MSPs that were generated by some of the other platforms that we're involved with that will create the documents for the customers and then send them to you to actually make sure they match up.
(11:16 - 15:54)
Yeah. I don't know. I mean, we've done hundreds of documents.
I don't know which ones are human-generated or from templates, to be honest with you. Okay. Because, I mean, that kind of would be the thing, is even though you're assisting with the AI side of it, I have to imagine there's going to be a ton of AI documents that would just be sent to you that are either templates or things of that nature.
Does a platform adjust for that? Oh, absolutely. Yeah. Like I said, we're using the very best large language models that are out there.
We're not tied to any specific generative AI technology. Our systems are agnostic, so if a new large language model comes out, we'll select a newer one. We're multimodal.
We can actually see graphs and images on the documents that you give. So if you give us an asset inventory with a pie chart, for example, the AI auditing team will be able to see and read and understand that pie chart. Yeah.
Okay. Now, most of these platforms are usually self-sustaining platforms. They're not really tied to any of our tools that we use, PSA, RMM, or anything like that.
Are you guys tied to any other tool or is it just completely separate? No, we want to try to be separate. We do make it pretty simple for our AI responses and our documentation to be either put into other systems like with hyperlinks or with APIs. We have some APIs that we can feed information into, but we can also copy and paste information, but we try to be simple and easy to use.
So there's really not a lot of integration stuff that we're doing that would be above the norm compared to other organizations. All right. I also want to go back and make sure that I explain to people, when you go to the website, it is thecomplianceaid.com. Make sure you put the T-H-E in at the beginning because you'll end up going to some other place.
So thecomplianceaid.com is where you want to go. All right, Randy. Well, let me give you an opportunity because I know I've asked the questions and tried to make it work, but what maybe have I missed in terms of asking what the Compliance Aid is all about? Mark, do you have anything before I jump in? Sorry, excuse me.
I think from our perspective, the main thing is that we do the heavy lifting in the compliance side of things. So whether that's NIST or ISO, whatever the framework is that we support, we basically save time. And we will save you a minimum of 50% of the time taken to create documents, be able to do milestones and next actions.
And as we said earlier, the actual start to finish, if we have documentation from a client, it takes us about 48 hours to produce the alignment, the assessment, and the lifting policies. So that's primarily, if you like, what we're about is taking that heavy chunk of reading all the documents and trying to evaluate the answers. All right, Randy.
Anything else, Randy? Yeah, this is just my history with MSPs. This has just always been an area that I've seen MSPs sort of stay away from. Or if they do it, they're not doing every single one of their clients.
They're only doing the clients, like a handful of clients for cybersecurity compliance. And with a system like this, we can really sort of standardize and rapidly push cybersecurity compliance out at a really profitable way for our MSPs to really, one, do good by our client and make sure that they're aware of where they are in their compliance journey. And two, we can make some cash by putting on a good service that does the right thing for the clients.
So that would be it for me. All right. Now, I know that you're new and that are we even at half a year yet? I think we're right at six, seven months for you guys.
(15:55 - 16:15)
Do you have a roadmap yet in terms of where you want to go and how the platform may change over the next few years? Yeah. So generative AI is probably the most fastest moving industry I've ever been in. I mean, it's every three months, something really new in nature is coming out.
(16:15 - 17:31)
So it's tough to really predict where we're all going to be, to be honest with you, in the next months. But we're going to continue to build and support new frameworks. We're going to work with industry experts to verify our answers.
We're going to focus on our quality. But more importantly, we're going to look at teams of AI agents. So we're going to incorporate teams.
So we can augment some of our people, but yeah, more frameworks and AI teams that's going to be in our future. All right. So I think your friend there was getting excited because this next question, I didn't prepare you for, but it's going to be, I think, pivotal in how I do my presentation coming up at IT Nation in November.
Obviously, the goal is to win. And the first prize for pitch at 70 grand, second prize, 30 grand. Third prize, I instituted a set of steak knives as the third prize because previously they got nothing.
(17:32 - 17:44)
I know you want to win, but if you had to settle for third, do you have a preference on the type of steak knife you'd like? Oh my gosh. I don't know, Mark. I mean, a sharp one.
(17:51 - 18:39)
That's all right. I'll let you off easy there. I knew that was something that I did not prep anybody for, but I've already gotten a couple of comments in terms of people responding that they're looking forward to the steak knife presentation, which I don't get it.
And I'm sure that's not what everybody wants to focus on, but just a fun, fun aspect that we threw in there. So Randy, Mark, thank you very much for your time and Explains the Compliance Aid. And of course, again, the website, thecomplianceaid.com. And you guys are going to have fun over the next, what, 16 weeks of boot camp? I think so, yeah.
All right. I wish you guys luck. And of course, we'll see you at both IT Nations and maybe have you guys stop by the booth and say hello.
(18:40 - 19:06)
Thanks for your time. All right, folks, that's going to do it. We'll be back with another episode soon.
Enjoy. And until next time, holla. Recording stopped.
