Forage's multi-framework, single auditor approach delivers $100k savings and key client acquisition

CHALLENGE

A small team needs support to tackle multiple complex frameworks by their deadline

Rob Gormisky, Information Security Lead, and his team at Forage previously relied on vendors to manage their customers’ cardholder data. They were already PCI DSS-compliant, but when they decided to bring the cardholder data in-house, they needed to increase their PCI compliance to a Level 1.

In addition, customer demand was increasing for SOC 2 compliance, and Forage had a contractual obligation to be SOC 2 certified by the end of the year.

Facing multiple compliance frameworks and a PCI audit larger in scope than they had done before, Rob and his team began looking for a compliance partner to help them streamline the process.

“Knowing that it was going to be a compressed timeline, we wanted to pick a partner who was going to automate as much as possible for us. Additionally, having a single vendor that could support us with both frameworks was critical.” –Rob Gormisky, Information Security Lead, Forage

Rob was looking for a partner that had expertise in both SOC 2 and PCI requirements, experience with cloud environments, and an easy-to-use platform with the right integrations. Thoropass fit the bill.

SOLUTION

Forage partners with Thoropass to streamline SOC 2 and PCI audits

Rob and his team began their SOC 2 and PCI journeys simultaneously with the help of their Thoropass Customer Success Manager (CSM). Their CSM helped them with the scope and sequence of the two projects to make evidence collection as efficient as possible.

Unlike Rob’s previous experiences with traditional audit firms, both Thoropass’ CSMs and auditors understood cloud environments, allowing for seamless, timely communication and relevant advice. Instead of spending weeks trading spreadsheets with auditors, he received clear feedback the same day via Thoropass’ platform.

“Whenever I had a question, I was never waiting for a significant period of time, even if it was a particularly thorny question. Having a web dashboard to communicate back and forth was definitely huge for us.” –Rob Gormisky

Integrations with platforms like AWS, Rippling, and GitHub sped up the process even further–about half the evidence was collected automatically.

“If I had to gather every single piece of evidence for the SOC 2 audit manually, it would have delayed my PCI audit significantly. It would not have been possible without working with the same auditor for both frameworks.” –Rob Gormisky

Some of Rob’s other favorite features were data rooms, which enabled his team to track versions of documents, and time-saving SOC 2 policy templates.

RESULTS

Forage beats its deadlines for both audits and saves 3-6 months of development time

Not only did the Forage team meet their SOC 2 timeline, but they beat it with a month to spare. They also met their full-scope PCI audit deadline, raising them to Level 1 compliance.

Each certification had an immediate positive impact on the business.

“SOC 2 is for sales, and PCI is for partnerships. They unlock different things for us. Without SOC 2 compliance, we would not have our largest enterprise customer today. There are partnerships that we are now able to build with other FinTech companies that were not possible when we didn’t control a full Level 1 PCI environment.” –Rob Gormisky

Internal communication has also improved, allowing for more effective governance.

“Having a risk assessments platform that various stakeholders within the organization can access has led to more productive discussions. It’s helped me disseminate security information more broadly and bring more people into the fold on compliance.” –Rob Gormisky

But one of the biggest benefits to Rob’s team was Thoropass’ thought partnership on product development. Before Forage’s team of four engineers built the technology to store cardholder data, Rob got design feedback from the Thoropass experts.

“I was able to ask the auditors about PCI requirements upfront before spending engineering resources to build the product. That was genuinely invaluable.” –Rob Gormisky

That insight saved his team an estimated 3-6 months and over $100K in development costs by reducing potential remediations and focusing their scope.

LOOKING AHEAD

Maintaining and continuing to improve their security posture

Forage plans to maintain its SOC 2 and PCI certifications with Thoropass and may pursue additional frameworks in the future.

“Having a partner that already understands our business makes it way easier to bring on new compliance frameworks and to figure out which ones are relevant to our business.” –Rob Gormisky