Measurabl Automates 80% Of Their Compliance Program Moving To Drata From Competitor

Measurabl’s Need for Compliance

Measurabl is an environmental sustainable governance (ESG) company. Our software monitors large offices and building spaces for energy consumption, gas, electricity, and solar, so we have a variety of large-scale enterprise customers. Our customers and cybersecurity insurance provider require that we comply with SOC 2 and ISO 27001.

As the senior manager of information security at Measurabl, I handle all things security and compliance related. My main job when joining the team was getting the business to SOC 2 and ISO 27001 compliance with a firm, one-year deadline to get it done.

Compliance Automation Before Drata Was Painful

When I joined the Measurabl team, we were using another compliance automation platform. As someone with 10+ years of audit experience, I knew what had to be done to pass an audit—I just hadn’t used a compliance automation platform to help manage the process.

Unfortunately, the previous tool we were using didn’t fulfill their promises of getting us closer to our compliance goals. Here’s a few reason why our previous engagement had a negative impact on Measurabl’s compliance program:

1. We Couldn’t Trust the Evidence Collection Process

My suspicions about the automated evidence collection process began to rise once we started to complete more requirements for the frameworks. I would see our readiness percentage increase in the platform, but the actual evidence being collected wasn’t adding up.

There was no chance we would be able to get through the audit without having to provide more evidence. This was completely overlooked by our previous provider which caused gaps in our evidence collection and frankly, wasted our time.

2. The Platform Was Outdated

Overall, the platform wasn’t up to par and we experienced a lot of issues while using it. The few policies they provided were unreliable and wouldn't have passed an audit.

The way framework controls were mapped to evidence wasn’t straightforward which made it difficult to understand what requirements weren’t being met. Their risk platform was also limited in scope and didn’t help us streamline the process.

3. Customer Support Was Nonexistent

Support was anything but personal. If you have a question, expect an email with a link to a PDF document and no further instructions. It was difficult to find the information we needed when questions inevitably came up.

4. They Overpromised, Under Delivered

Vendors promise a lot of things when they want to earn your business. Leadership was told this product would be a very easy and quick solution to get our SOC 2 Type 2, but after seeing the flaws in their evidence collection process in addition to their lack of customer support, I knew it was going to be a bumpy road to SOC 2.

Why We Abandoned Our Previous Provider Mid-Audit

When we supplied the evidence—that according to the platform made us “90% ready” for our audit—the auditor came back with a spreadsheet requesting 110 more pieces of evidence. I wish I could say I was shocked, but I knew the previously collected evidence wasn’t going to suffice.

I took that information back to the business, who expected to hear news of a clean report, and they were displeased. Leadership’s frustration only grew because there was no explanation by support as to why our evidence wasn’t sufficient enough to pass an audit. Other teams outside of security were also impacted, and it caused a large pause on the business moving forward.

When it came to providing the additional 110 pieces of requested evidence, the auditors created a spreadsheet for us to work off of because they didn't prefer our previous providers' UI. It was a heavy, time-consuming lift for the team.

The Solution

We came up for renewal with the platform in the middle of our audit, and we were desperate to make a switch. I started to evaluate many other platforms suitable for enterprise on the market. Ultimately, Drata was the clear winner and we haven’t looked back since.

Our Auditor Champions Drata

We originally connected with our auditor, SAV, through our previous provider. When we made the switch to Drata, we knew it might be challenging to navigate the move with SAV on board. However, it was a risk we were willing to take.

Drata made navigating the transition easy, even during our audit period—and SAV is a full-blown Drata advocate now. They frequently recommend Drata to their clients and believe the Platform is a powerful tool in the industry. That’s given us even more confidence that we made the right decision moving to Drata. They’ve made advocates out of us and our auditor.

Drata Is the Best Tool on the Market

Now that Measurabl has switched to Drata, we’ve seen a night and day difference to our compliance program. Drata’s offers a better, higher-caliber platform that truly alleviates the pain of maintaining compliance. Here are a few other key benefits we've experienced since making the switch:

1. 10/10 Customer Support

The biggest differentiator between Drata and other vendors on the market is their support team. I've been working in security and compliance for years, but there's still things I get stuck on. I can literally get an answer from support in two minutes using their in-app chat. No more waiting to get the information you need to succeed.

2. It’s a Robust All-In-One Platform

After diving deeper into the materials Drata provides during implementation, their policies, controls, and requirements are top-tier quality and accurate. The policy set Drata provides for SOC 2 and ISO 27001 is incredible and arguably more than what you’d need to pass an audit. Their policy templates have added tremendous value to our compliance program, as well as their ISMS document for ISO 27001 compliance.

I don’t have to worry about automatic evidence collection or mapping controls—Drata provides all of that for us. We have a clear idea of the tasks that need to be completed, and we can easily assign those to different lines of business. It streamlines the end-to-end process of managing compliance.

In the past, I would have to refer to six or seven different tools to verify individual compliance of employees. Now, I can go straight into Drata and see which employees need security training, what devices don't have multi-factor authentication enabled, and so on. It’s completely consolidated the way we approach managing compliance.

3. We Can Scale Our Program With Ease

One of the biggest reasons I chose Drata was because I was looking for a platform that the business can leverage now, as well as three to five years down the road. Compliance is an ongoing exercise, so I wanted to avoid having to switch providers every year.

I could see a future of scaling our compliance program with Drata, which was an important distinction.

4. Helps Build a Compliance Culture

No one likes it when security comes poking around, especially engineering teams. Drata helps notify us if something on the engineering side is out of compliance, without having to poke around another team’s territory. I know exactly how to remediate any issue on my own because Drata provides that guidance.

Drata Workspaces Revolutionized Our Compliance Program

Measurabl acquired two companies during our last audit, and those companies are now required to adhere to SOC 2 compliance as well.

Because of this, we’re utilizing Drata Workspaces for our complex compliance needs. With Workspaces, we can separate out various lines of business to be tested against the controls that Measurabl was co-tested against during our last audit. We can take advantage of the work we’ve already done towards Measurabl, apply it to other lines of business, and manage compliance for different environments all in one place.

Since implementing Workpscaes, we’ve completely ditched the crazy Jira board we were previously using to keep track of compliance for different lines of business. We now have one centralized place we can turn to as our source of truth.

Return on Investment

Drata has without a doubt saved our organization time in pursuing SOC 2 and ISO 27001. We’ve effectively been able to automate 80% of our compliance workload, compared to the little audit readiness we were able to achieve using our other provider.

Drata makes life easier and is reliable in helping customers get the most out of the Platform. The business has seen a massive improvement since transitioning to Drata and our leadership team is extremely happy.