An Interview with Andrew Hicks: Simplifying Compliance
by Rick Kuwahara COO of Paubox
The Paubox Encrypted Interview Series allows us to chat with leaders in healthcare IT, compliance and cybersecurity to pick their brains on trends and best practices.
In this Encrypted Interview, we chat with Andrew Hicks, Vice President of Frazier & Deeter, one of the nation’s fastest growing accounting and advisory firms, serving the evolving needs of clients from start ups through global Fortune 500 companies.
Early career and professional growth
Rick Kuwahara: You recently joined Frazier and Deeter, but before that you’ve been in compliance and consulting roles for over 18 years, and a number of that, dealing with healthcare in particular. What is it about compliance and consulting that has made it such a focus in your career?
Andrew Hicks: Yeah, Rick, great question. It’s something I got introduced to coming out of college, by my boss at the time. He encouraged me to look at IT audit as a way to learn a lot about the operations of the company, as well as depth in a wide variety of technologies.
I’ve taken that through approach my career; cast a wide net and focus on what is interesting. While IT compliance and security stuck, I also found interest in working with healthcare organizations. About 20 years ago, I had my first introduction to HIPAA; about 10 years ago HITRUST.
Then you look at the technology side, and how organizations are safeguarding their crowned jewels, what they’re doing to thwart off attackers. This presents an opportunity to learn, be a SME and be highly consultative, innovative, and part of a solution.
So, to answer your question, what I love about compliance and consulting is it’s extremely fast-paced. There’s a lot of change, both on the compliance side, but also on the technology side, as well as a huge opportunity to learn and help customers solve their everyday challenges.
I realized about 9 years ago that I wanted to get into consulting. It’s been a great decision and something I’ll continue to do for a long time.
Rick: So what drew you to Frazier & Deeter?
Andrew: Yeah, great question. I was looking for a new opportunity and an individual in my network reached out and said, “Hey, have you ever heard of Frazier & Deeter?” I had, but I didn’t know much about them.
I was introduced to Sabrina Serafin, who’s a partner here, and Sabrina and I had a casual conversation one afternoon.
What really attracted me was a few things. One was the relationship aspect. A lot of consulting firms out there, say, “Oh, we’re your adviser. We’re your partner. You should trust us.”
But what was different here was I felt like it was heartfelt. It wasn’t a facade like so many other companies.
The conversation turned to, “how can we simplify things for our customers. How can we be a better partner?”
There was no conversation about margins, driving profits, or revenues. It was 100% with the customer in mind, and that really meant a lot to me.
The second thing was around quality. We want to do high-quality, high-caliber work for our customers.
And again, tying back to the numbers, sure we want to be profitable as an organization, but we also want to do really good work.
Even if it means working extra hours, working over the weekends, if it means not hitting numbers, things like that…this company goes the extra mile to make sure customers are happy, and we’re upholding our own meaning of being a true partner to them.
So, those things were really exciting to me.
Then I would say the third thing was around innovation. This company is investing heavily in the relationship aspect.
A lot of companies are going through what I call multi-threaded assessments where they’re doing SOC, ISO, PCI, FedRAMP, HITRUST, etc., and it’s just a lot of madness out there.
Frazier & Deeter is an organization that’s investing heavily in simplifying the assessment journey with our customers.
My mission in the HITRUST marketplace is to build an assessment model that the marketplace hasn’t seen before. One that doesn’t involve spreadsheets, lengthy requests lists, hours of time interviewing, endless travel, and astronomical assessment fees.
Frazier & Deeter is well on the way to accomplishing all of these.
Rick: Great, and so after you joined Frazier & Deeter, what’s the biggest challenge or mission that you have, as you start in this new chapter in your career?
Andrew: I am just four weeks into this, so, the biggest challenge is learning about what we do, how we do it, who our customers are, what our niche is in the marketplace, etc.
But it’s really absorbing all of that and building that into the services that I own, and then off-shooting what I know with my experience back into what the firm is doing. So, looking to maximize the benefit of all the various services that we offer is probably the biggest thing.
Then also, quite candidly, it’s leveraging. There’s a highly talented and experienced team here. Tapping into that knowledge trust early and often will be impactful for making a smooth and quick transition.
I need to keep reminding myself that I can’t boil the ocean on my own. It’s just breaking things up into bite size pieces, to prioritize and start moving the needle on a lot of things where we can enhance the services already in place.
Rick: HITRUST has really become a big signal in healthcare that an organization takes its security posture seriously. Why do you think that is?
Andrew: So I’ve been doing HITRUST for eight years, and I’ve kind of coined the phrase, at least I think I’ve coined it with, “I can get behind anything I believe in.”
And HITRUST is an organization that established themselves about 15,16 years ago. Their number one goal is to boost cyber security awareness and the overall cyber maturity in the marketplace by leveraging their proven framework.
From an organizational perspective, what I like about it is it truly enhances your cyber security program and serves as the foundation. It allows you to measure your overall cyber security posture and really make decisions around where you’re going to invest as an organization to drive greater enhancements to your cyber security program.
Rick: Great. I know that when we were telling people that Paubox was going through HITRUST and we got a lot of sympathy because it seems like such a daunting process, and it really was for us when we were first approaching it. But I like that you don’t think that it really has to be daunting. Can you share a little bit more about why you think that is?
Andrew: Yeah Rick, this is what really excites me.
My mission in this chapter of my career is one word. And that word is simplification.
Whether it’s HITRUST, whether it’s HIPAA, whether it’s FedRAMP, whatever it is.
I know the market extremely well. I know what organizations go through and all of the regulations and frameworks out there, as well as the challenges of going through an assessment.
The point is, it does not need to be as archaic, confusing, and expensive as what it is. So my passion here is to stand-up something the market hasn’t seen before.
As an example, the customer experience has traditionally been extremely laborious and expensive. It’s so often crafted with the consulting firm in mind, as opposed to the customer. We are changing that at Frazier & Deeter. We work closely with our customers, ingest their feedback, then tweak our program to make things easier and better.
I’ve learned in my career that if you focus on two things, you will be successful. Listen to your customers, and listen to your team. When those two people groups are the center point for what you are building, success won’t be far away.
Rick: Great. Maybe you can talk a little bit more about how exactly you simplify assessments but still be comprehensive.
Andrew: I’ll say, just knowing the assessor community out there, it is not uncommon for assessors to hand over whatever we call PBCs, ERLs, RFIs – it’s the request list.
And in the HITRUST space that list can be 300, 400, 500 items of very specific asks. This is insane and a huge burden on customers.
In most cases, these requests the length they are because the assessor hasn’t taken the time or care to harmonize it into like-spirited topics. We are doing that! Another reason is because technology and innovation aren’t being leveraged. Microsoft Excel is not innovative. In fact, it’s the opposite. It causes burn and churn with consultants and is, quite frankly, a disservice to the assessment process.
Another area for improvement is reducing the amount of time interviewing control owners. It needs to be done, but sitting at a conference table for hours on end is not the best way to do it, especially when the assessor is reading requirement statement after requirement statement.
We are on the verge of launching our latest program release which will streamline the interview process by normalizing the assessment framework around control topics that are easily assignable and understandable amongst control owners. This will yield a tremendous amount of efficiency.
Let’s talk about the organization that is doing multiple assessments- ISO, SOC, PCI, HITRUST.
It blows my mind that so many firms out there will start delivering against the least prescriptive framework first. This is a major red flag.
Nearly every framework out there is a drop in the bucket compared to the rigor of HITRUST. When you think about it, HITRUST was carefully built on the assess once, report many philosophy. That’s why so many frameworks have been mapped into it. The starting point should always be HITRUST.
Like I said though, and another attraction to Frazier & Deeter, is we listen to our customers and assessors, and are pioneering solutions that make sense. And yes, quality and integrity are at the forefront of everything we develop.
Rick: Right. Well that’s great. And it sounds like that’s a great scalable way, not just for the initial assessment, but as you go through your annual or bi-annual reviews.
Andrew: Absolutely, yeah. I encourage our customers to do more than treat an assessment as a point in time. To maximize the ROI, organizations should fully adopt the framework and build it into the DNA of the cybersecurity program. This means performing continuous monitoring work to maintain the operational integrity of the controls in place.
An assessment shouldn’t be a… “You got caught with your hand in a cookie jar” moment.
It should be, “Hey, we’ve already prepared for this because we’ve been managing our controls for the last 10 months since the last engagement.”
An assessment shouldn’t be a massive lift every single year, it should be broken out into bits and pieces throughout the year so you’re actively managing it. Quite honestly, it’s making your cyber security program much more dynamic than if you’re just treating it as an assessment.
Rick: Yeah, that’s fantastic and I look forward to hearing how you guys are coming along with that and really pushing that assessor industry forward.
Rick: How do you keep up with industry trends? Any good podcasts, blogs, influencers or newsletters that we should be following?
Andrew: I get all of my information from the LinkedIn page from Paubox. [chuckle] I’m joking. But seriously, guys do a great job at providing thought leadership on a wide variety of topics.
There is a large community that uses LinkedIn, which I think there’s a lot of great content out there.
The other thing is I talk to my network a lot. I’m highly networked with some key individuals. I like to stay current and relevant with them and hearing what’s going on in their organizations, their challenges, their pain points, how they’re overcoming things. So that’s a really good source for staying up-to-date with the industry trends.
And then probably the last thing is the conference circuit. I always go to HIMSS, HITRUST, RSA. If I’m speaking or just as an active listener there’s always a lot of good content there as well.
From a media outlet perspective, ISMG is a great source too.
Rick: What do you do to de-stress and relax?
Andrew: De-stress, is there such a thing [chuckle]?
I would say, for me, it’s being more on point of shutting the laptop and really focusing on what’s important outside of work, and that’s my wife, that’s my four kids, so between the five of them, there’s lots of opportunity to de-stress, have fun, get out and be active.
I’ve also made it a point to have fun at work. Too often, work has a negative connotation with it. But, it doesn’t have to be that way. If you aren’t having fun at work, you probably aren’t liking your job. I was there once in my career and now know the importance of asking for help and having fun.
So I’ve learned to make my life, and my family, and de-stressing activities a priority because otherwise, we all know how work can be consuming. That’s one thing I like about Frazier & Deeter, it’s a well-balanced organization from a work-life perspective.