CaaS is a recent term I found interesting. We all are familiar with the term SaaS (Software as a Service), also known as applications in the cloud. Simple enough, we all use SaaS for things like our CRM, accounting platform, video conferencing, etc.
But the term Compliance as a Service (CaaS) is not the same concept.
It is supposed to convey you can get compliance support services in the cloud to manage tasks from someone else who has the resources to meet your regulatory requirement and be a more cost-effective solution. However, because it is tied to the “as a Service” nomenclature, it sounds like it should be an application that a customer uses to meet or create a compliant environment. That simply does not exist.
Compliance has the same need for experts like a CFO or CTO. That is why we refer to our consultant role as a fractional (or virtual) Chief Compliance Officer (vCCO). This role isn’t a service or application that the client can install. It is a subject matter expert role. Like other experts, there is a level of knowledge and experience to conduct the role effectively. Tasks like presenting different solution options, meeting security control objectives (not just the controls statement), understanding the common hurdles in the process, and maintenance solutions to ensure that, once the company gets compliant, they stay that way.
We are aware of compliance software applications such as FutureFeed and ComplyUp that are built for managing compliance tasks. A compliance officer uses these applications to help them track and manage tasks and documents, not to replace themselves in the way a CaaS implies it is trying to do.
Think of it as assuming QuickBooks Online will file your taxes, rather than the actuality of simply helping your accountant keep track of your books so they can file the taxes. If CaaS was used to describe compliance management software, that would make more sense.
It seems like the industry is always pushing for the next term to trigger a purchase or to start a new trend. We need to be careful in how we pick up phrases that may not be the correct term.
To continue my opinion on this topic, there is another CaaS term being used currently, called Cybercrime as a Service, where the bad actors sell their tools and services to other bad actors. Just what we need, right? Confusion in the industry vying for a term that is already used incorrectly. Furthermore, CaaS used in this fashion is more accurate with the “as a Service” term because here the threat actors are selling their tools (applications) to others to use. This is more in line with the normal use of cloud-base services.
To summarize, I am not criticizing the use of tools and applications to help an organization in their compliance journey. We often recommend and use some of these tools I mentioned above in helping our clients navigate their compliance requirements. I just want to clarify that an organization will not be compliant by simply subscribing to a Compliance-as-a-Service tool.
If you would like to have a conversation to help clear up any confusion there might be, feel free to reach out.