Most companies think the toughest part about compliance is the technology or getting all the right certifications. They’re wrong. The toughest part about getting compliance right is maintaining discipline in behavior and processes. It’s an operational maturity problem. After walking through SOC 2, ISO 27001, and CMMC (including preparing for CMMC Level 2), one pattern becomes obvious: the organizations that struggle aren’t struggling because they lack tools. They struggle because they lack structure.
In the latest episode of Trust Issues by BEMO, Brandon and Bruno Lecoq welcomed Cindy Oliveto, Senior Director of Operations at BEMO, to explore how organizations can achieve operational excellence in the context of security and compliance, and what happens when they don’t.
Listen now:
Here are the key takeaways from their conversation:
Table of Contents
The Real Cost of “Getting Certified”
When leaders ask, “What does it take to get certified?” they’re usually thinking about a project, referring to timelines, checklists, and eventually, a finish line. What they don’t realize is that this is the wrong starting point. What they should be asking is “What does it take to stay compliant every month after certification?”
As Cindy emphasizes, compliance frameworks aren’t one-time hurdles. They require recurring evidence, recurring reviews, recurring documentation, and recurring accountability. SOC 2 might feel approachable. ISO 27001 adds layers - formal risk management, internal audits, executive reviews, documented nonconformances and corrective actions.
What’s more, CMMC adds a different complexity because it’s still new. Auditors, MSPs, and contractors are still learning the game as they go, and this makes operational discipline even more critical.
Frameworks Don’t Fail - Operating Models Do
Contrary to popular belief, the hardest part of compliance isn’t deploying MFA or configuring endpoint protection. It’s documenting how controls are enforced, reviewing those controls on a monthly cadence, proving executive oversight, and maintaining evidence continuously.
As Cindy suggests, compliance requires a dependable rhythm across departments, with someone/ a few people taking clear ownership of security and compliance on a daily basis. For example, in many defense contractors (especially in the 20–100 employee range), someone is named “the champion,” but rarely is there a cohesive cross-functional team with defined roles and responsibilities.
And that’s exactly where the breakdown begins because a lack of accountability affects every aspect of the business. Security can’t carry the burden alone.
The Internal Audit Reality Check
ISO 27001 forces something many companies aren’t used to: internal audits before external audits. As Cindy explains, this means you don’t just get tested once; you get tested twice. This also results in nonconformities (major and minor) that must be tracked, remediated, and documented. Essentially, you must prove not only that controls exist, but that reviews happened, that executives reviewed findings, that change management boards met, and that access reviews were conducted.
All auditors care about at the end of the day is evidence, and that’s where automation becomes non-negotiable.
Automation Is the Only Way to Scale Compliance
Manually collecting logs from 50+ systems every month is unsustainable. The organizations that scale compliance well invest in:
- Centralized GRC platforms
- Automated log collection
- Integrated reporting
- Evidence capture tied directly to policy controls
Cindy’s fix is to pull logs from identity systems, endpoint protection, and data protection tools, and then evaluate those logs against policy automatically. That way, when an auditor asks, “Prove you review access monthly,” the answer isn’t an email chain; it’s a system that shows:
- When the review occurred
- What was reviewed
- What issues were found
- How long did remediation take
This way, compliance becomes demonstrable.
AI Governance: The Next Operational Test
One of the most eye-opening revelations? ISO 42001 (AI governance) is raising the bar even further. You can’t simply buy Copilot licenses and move on. Before AI can safely operate inside your environment, you must:
- Cleanse and classify data
- Apply consistent labeling
- Review permissions
- Define boundaries for agent access
Cindy’s explanation is that agents behave like identities, requiring role-based access and governance. So, if your SharePoint permissions haven’t been reviewed in ten years, AI will expose that weakness immediately.
In fact, shadow AI is already happening in most organizations. Employees are using AI tools regardless of formal approval. So, governance is no longer optional.
Where Should Leaders Start?
Cindy’s word of caution to every leader out there is to start with one simple, yet profound question: Are we ready for the long run?
Because compliance is not a certificate. It is a cadence with a few foundational steps:
- Building the right core team
- Defining ownership and operational routines
- Automating wherever possible
And perhaps most importantly, write policies you can actually follow because assessors don’t audit your intentions. They audit your behavior against your own documentation. If your policy says you review access monthly, you will need to prove you reviewed access monthly.
As Cindy explains, BEMO can help you out with templates, outlining the phases, roles and policies required to successfully audit for compliance frameworks. If you need the extra guidance to step up confidently to this project --> 
The Bottom Line
Cindy’s biggest reminder: Compliance is not a project with an end date. It is an operating model.
The companies that succeed embrace it as such, developing cadence, automating evidence, and aligning business processes with security controls. They treat governance as infrastructure.
So, going back to the beginning, companies that fail do so because they haven’t invested the time and thought it takes to build operational maturity. The companies that win invest away!
Frequently Asked Questions
1. Why is compliance harder than companies expect?
Compliance is often more complex than companies anticipate because it is not just about implementing tools or creating documentation. It requires ongoing operational discipline across the entire organization. Frameworks like CMMC and ISO demand consistent processes, accountability, and cross functional collaboration between IT, security, HR, and leadership teams. Many businesses underestimate the level of effort needed to maintain compliance over time, including continuous monitoring, policy enforcement, and audit readiness. Without a structured approach, compliance quickly becomes overwhelming and difficult to sustain.
2. Is compliance a one time project or an ongoing process?
Compliance is not a one time project. It is a continuous and evolving process. Achieving certification is only the beginning. Organizations must maintain compliance through regular monthly, quarterly, and annual reviews, along with ongoing evidence collection and control validation. Regulations and frameworks frequently change, and businesses must adapt to new requirements, risks, and technologies. Treating compliance as a one time initiative often leads to gaps, failed audits, and increased security risks over time.
3. What is the biggest mistake companies make before pursuing certification?
One of the most common mistakes companies make is focusing too heavily on tools and technology before establishing a strong compliance foundation. While tools are important, successful compliance starts with building a cross functional team, clearly defining roles and responsibilities, and creating documented processes. Without ownership and accountability, even the best tools will fail to deliver results. Organizations that prioritize people and processes first are far more likely to achieve and maintain certification successfully.
4. Why is automation important for compliance management?
Automation plays a critical role in modern compliance management because manual processes do not scale effectively. Collecting evidence, tracking controls, and preparing for audits manually can lead to burnout, human error, and missed requirements. Automation helps streamline repetitive tasks, ensures consistency, and provides real time visibility into compliance status. This not only reduces risk but also allows teams to focus on strategic security improvements instead of administrative work. For growing businesses, automation is essential to maintaining compliance efficiently.
5. Can companies deploy AI tools before establishing data governance?
Deploying AI tools without proper data governance in place can introduce significant security and compliance risks. Before adopting AI, organizations must first implement strong data classification, conduct systematic data clean up, and enforce strict access controls. Without these foundational elements, sensitive data can be exposed, misused, or processed in ways that violate compliance requirements. A secure and well governed data environment is critical to safely leveraging AI technologies while staying compliant.
6. Where should a company start with CMMC or ISO compliance?
The first step is to evaluate what your market and customers actually require. Not every framework applies to every business. For example, pursuing CMMC would not make sense for a company that does not handle Controlled Unclassified Information or work with government contracts. Understanding your industry requirements and customer expectations helps you prioritize the right compliance path from the start.
Once that is clear, the next step is to build a strong foundation. This includes assembling a dedicated compliance team, defining clear processes, and understanding the requirements of the chosen framework. From there, organizations should perform a gap analysis, identify risks, and prioritize remediation efforts. Only after establishing processes should companies implement tools and automation to support compliance. Taking a structured approach ensures long term success and avoids unnecessary complexity or rework.
We've got more resources for you to become a cyber-pro.
Leave us a comment!