Case Study: Delta Dental

Delta Dental Uses Shujinko’s Automated Compliance Solution as “Easy Button” for Certifying its Ongoing Cloud Transformation

“Frankly, I’m blown out of the water with AuditX and Shujinko. They’ve been invaluable as we are getting our footing on how to securely and efficiently move into the cloud.”

– Errin Coburn, Director of Cybersecurity Delta Dental of Washington

Key Benefits

Speeds evidence collection and audit readiness so teams can focus on other work
Highlights compliance gaps and deficiencies, allowing team to prioritize mitigation
Improves organization and collaboration, ensuring even small teams can quickly gather and submit the necessary materials
Delivers visibility into compliance risk and progress so organizations can prioritize security and privacy improvements

Overview

Delta Dental of Washington, part of the largest U.S. dental insurance network, needed to simplify compliance management during its mammoth multi-year, cloud-first transformation. It turned to Shujinko’s AuditX to speed and modernize that compliance readiness by automating audit preparation.

Showing Compliance Shouldn’t Take Longer Than Being Compliant

Delta Dental of Washington is part of the country’s largest dental plan system, offering coverage to more than 68 million people across the U.S. Customers in Washington range from small business to global brands. Yet regardless of size, Delta Dental treats the personal information for each member the same: with the utmost regard for privacy and security.

That makes regulatory compliance an ongoing consideration for the company, all the more so as it goes through a massive multi-year transition to a hybrid cloud-first digital platform. In particular, the company is tasked on an annual basis with demonstrating to larger customers that it’s living up to their requirements regarding the handling of personally identifiable information (PII). But between infrastructure changes and differing customer expectations, that can be a never-ending challenge. Achieving SOC 2 compliance certification thus provides the company with a straightforward method of demonstrating that it is following industry best practices for data security and privacy in the cloud.

That said, managing compliance certification can be burdensome.

“Traditionally, demonstrating IT and security best practices and compliance can be a distracting, draining and labor-intensive process,” says Errin Coburn, director of cybersecurity at Delta Dental of Washington. “It often seems that showing proof that controls are in place can be more work than creating the controls in the first place.”

As with other organizations, the resources required from Delta Dental for the audit process can be extensive. “Audit prep is where all the work is,” says Coburn. “It typically requires dedicated resources, and has a significant impact on whole teams as they’re required to collect and map evidence, identify gaps, remediate, trace and more. And then there’s the non-technical side with control narratives, policy, incident response and assessment – it’s overwhelming. And if you have to start from scratch, good luck.”

As part of its move to the cloud, Coburn and her team were hopeful that Delta Dental could adopt a more “continuous compliance” mentality where relevant data and artifacts were collected and captured in an automated fashion.

“The fact that there’s a divorce between execution of best practices and collecting evidence to show adherence seems ridiculous in a modern cloud deployment,” she notes. “What I want is a compliance ‘easy button’ that just automates that whole process.”

That’s exactly what she found with Shujinko.

Shujinko Automates Evidence Collection

“The first pass at SOC 2 compliance is always the hardest, and Shujinko offered guidance on both engineering best practice and the cloud compliance particulars. Without a tool like AuditX, we would have had to deprioritize SOC 2 compliance because it just wouldn’t have been achievable given the volume of work on our plates.”

– Errin Coburn, Delta Dental

Shujinko’s AuditX is purpose-built software that automates audit preparation, evidence collection and readiness. With AuditX, organizations can complete the audit process faster, and with much greater predictability and visibility. The fact that AuditX automates collection of this evidence directly from cloud infrastructure, distributed services and settings – and then maps the evidence to all applicable controls within and across standards – was something that Delta Dental found particularly important.

“If compliance readiness is a ten stage process, we quickly realized AuditX would start us out at stage seven while pointing out the gaps and deviations that still needed to be addressed,” explains Coburn. “There’s a huge advantage in that clarity versus just groping blindly in the dark.”

Her team also quickly realized that adopting AuditX as a platform – and working with the Shujinko customer success team on the process – promised to not only help minimize the resources needed for audit readiness, but also help Delta Dental navigate the challenges of cloud compliance.

“The first pass at SOC 2 compliance is always the hardest, and Shujinko offered guidance on both engineering best practice and the cloud compliance particulars. Without a tool like AuditX, we would have had to deprioritize SOC 2 compliance because it just wouldn’t have been achievable given the volume of work on our plates.”

Compliance Audits that are Something to Smile About

With AuditX, Delta Dental quickly found they could distill hundreds of hours of audit preparation into a much more manageable initiative – Coburn estimates that her team has spent less than 60 hours in total on the process.

Moreover, since Delta’s cloud initiative is new and ongoing, the streamlined preparation process was useful in providing assurance where the company is managing risks appropriately, while highlighting deficiencies where a more robust, full-stack set of security controls were required. AuditX not only showed the gaps, it allowed the Delta team to spend more time making needed improvements rather than running around collecting evidence.

“The ability to calibrate where we are in terms of readiness at any given point, know what work is remaining, and highlight our biggest risks are in the cloud – those are huge benefits,” notes Coburn. “And then to be able to take that information in a dashboard to my steering committee and board so we can get buy-in, identify priorities and make plans, I don’t think we could have done all that without AuditX.”

The visibility and organization provided by AuditX is key in this regard. The software organizes prep teams across groups and audits, allowing collaborative workflow, evidence review and communications. Dashboard reporting along with detailed filter views – down to specific task levels and pieces of evidence – keeps the process transparent, efficient and on track.

Going forward, the team is working to expand its cloud presence: delivering multi-tenant digital platform support for other Delta Dental plans across the nation, developing other discrete cloud environments, and pursuing other certification requirements such as NIST-CSF. AuditX’s ability to map and assign uploads to controls across not just other standards, but other environments, will streamline this process tremendously.

Summing up the experience was not difficult for Coburn. “Frankly, I’m blown out of the water with AuditX and Shujinko. They’ve been invaluable as we are getting our footing on how to securely and efficiently move into the cloud.”

“The ability to calibrate where we are in terms of readiness at any given point, know what work is remaining, and highlight our biggest risks are in the cloud – those are huge benefits,” notes Coburn. “And then to be able to take that information in a dashboard to my steering committee and board so we can get buy-in, identify priorities and make plans, I don’t think we could have done all that without AuditX.”

– Errin Coburn, Delta Dental

Automate Audit Preparation

Get ahead of your upcoming audit deadlines and compliance initiatives. Ditch the shared spreadsheets, back and forth email, and unclear evidence requests. Start working with Shujinko’s AuditX tool to simplify, automate, and modernize audit preparation for your cloud-first enterprise.