Category Archives: Blog

TPRM Audit Fatigue: When Trust, Time, and Teams Collide

Leave a reply

 

audit fatigue

Lately, I’ve been observing a growing trend where Financial Institutions (Banks and NBFCs) are increasingly mandating 3-day onsite audits as part of their Third-Party Risk Management (TPRM) programs. It often feels like an implicit signal that they don’t fully trust the fintechs or startups they work with, even those that proudly hold ISO 27001 or SOC-2 certifications. These certifications were meant to demonstrate a baseline of security maturity and due diligence, yet they’re being treated more like a footnote than a foundation.

Now, if you’re a fintech or startup working with even a moderate number of financial partners, say 8 to 10, your security and GRC teams could be spending upwards of 30 working days a year managing these TPRM audits. That’s nearly a month of valuable bandwidth lost to redundant assessments and fragmented processes.

To make matters even more tangled, there’s no standard playbook across auditors. Some send sprawling spreadsheets. Others insist on a live walkthrough with no prep and rapid-fire questions. Yet another expects you to navigate a third-party portal with its own quirks and terminology. Every new audit feels like starting from scratch.

Walkthrough-style audits, in particular, tend to be the most disruptive. They often require specific team members to join calls, explain configurations, demo access flows, or justify implementation choices. And since the questions tend to repeat across audits, these sessions end up being déjà vu for many teams, especially engineering. Their time is typically reserved for product building and problem-solving. Getting them to repeatedly field audit questions naturally creates friction between Engineering and Security, and sometimes even with the partner institutions.

On the flip side, the pressure within startups isn’t helping either. Many founders are pushing their teams: security, engineering, DevOps, legal, consultants—to rush through ISO or SOC-2 readiness on extremely tight deadlines. I’ve heard the same frustration echoed by several folks: long nights, tight audits, no breathing room. It’s become a checkbox race, not a maturity journey.

There’s also a growing school of thought within the industry that ISO/SOC-2 reports, especially the ones churned out by compliance automation platforms are becoming more of a sales enablement tool than a reliable indicator of security posture. That perception is driving financial institutions to dig even deeper during TPRM audits, essentially second-guessing the very frameworks designed to reduce the need for redundant assessments.

It’s tempting to wish for regulatory clarity here—perhaps a unified guidance from the regulator on how TPRM audits should be approached across the ecosystem. But that might be asking too much, given the operational nature of these audits and the regulator’s usual hands-off stance on implementation details.

To me, this is a multi-layered challenge. ISO and SOC-2 were designed to communicate security assurance to stakeholders for both internal teams and external partners. But if the output is no longer trusted, the entire premise starts to wobble.

As a small experiment, I once created a detailed Security Handbook for a client I consult for as a vCISO. It outlined their security practices end-to-end and drastically improved our turnaround time for security questionnaire responses. But unfortunately, the auditors weren’t too pleased—they preferred their own templates, their own questions, their own format. It didn’t matter that the answers were clear and well-structured. Standardization was nowhere in sight.

And let’s not ignore the irony where auditors are still asking for screenshots in an age where APIs could provide real-time evidence. It just feels out of sync with the pace and capabilities of modern tech. Honestly, this entire space is long overdue for disruption.

So the question is “how do we solve this?” What’s a practical, scalable way to balance assurance demands with the productivity of already stretched teams? How do we rebuild trust in certifications without burning out people in the process?

Would genuinely love to hear your thoughts.

Will WhatsApp Replace Slack In Enterprise Collaboration ?

whatsapp collaboration

Am I the only one noticing how quickly WhatsApp is making its way into the enterprise messaging and collaboration space? Lately, it has introduced numerous new features, such as communities and channels.

In India, businesses are increasingly relying on WhatsApp not just as a marketing tool but also for delivering important updates to customers. With the promise of APIs that can seamlessly integrate with enterprise tools, it’s becoming clear that WhatsApp is serious about serving the business world.

whatsapp call links

Just today, WhatsApp announced a new feature called Call Links, similar to the meeting links in Google Meets or Zoom, allowing scheduled group calls:

“Create and share a WhatsApp call link so that anyone with a WhatsApp account can join your call by opening the link. You can send it to a person or group on WhatsApp, or copy the link and share it another way.

Every time you create a call link the URL is different and secure, so no one can guess your call links. Call link calls are end-to-end encrypted.

Additionally, from startups to large corporations, everyone is struggling to prevent the widespread use of web.whatsapp.com on their enterprise devices. Security teams are caught in a dilemma – whether to block or allow web.whatsapp.com. Before they can make a decision, it seems likely that it will become an integral part of the enterprise suite.

One feature that WhatsApp appears to lack when compared to Slack is the ability to use ‘@here’ to notify all users 😁

What are your thoughts on this? 🤔

#WhatsApp #EnterpriseCollaboration #FutureOfWork #meta

Protecting Your Brand’s Online Identity: Safeguarding Your Social Media Accounts from Hacking and Misuse

Social media handles of organisations they represent are often associated with the company’s brand and identity itself. If someone else gains control of the handle, they can damage the company’s reputation by posting inappropriate or misleading content.

It is said that nearly 20% of small and medium businesses have had their social media accounts hacked.

Social Media Checklist and Security

Here are some interesting incidents from the past: 

  • Concerned about fake news and hate speech, Sweden’s public radio closes Twitter accounts LINK
  • Prime Minister Narendra Modi’s Twitter account was hijacked in 2021
  • Popular Gaming Company PubG’s official YouTube account was  hacked 
  • Union Ministry of Information and Broadcasting’s Twitter account was hacked last year
  • Elon Musk’s twitter account has been hijacked repeatedly in the past to pump and dump Bitcoin scams.

Recent incidents targeting the accounts of the brands and large organisations have prompted regulators to call for additional measures to safeguard social media accounts. 

In fact, In India Reserve Bank of India (RBI) in its master directives for NBFCs has explicitly called out for its safeguard:

RBI Master Directive on Social Media 

What should you do to safeguard your Organisation’s Social Media Accounts ?

If you are managing company’s social accounts, here’s a checklist to ensure they are secure:

  1. Use official company email IDs to manage and map social accounts. I have seen personal email accounts used for managing brands. This could also lead to problems once the employee quits. Also, as these non-company email IDs are un-managed it is difficult to enforce security controls around them.
  2. Enable multi-factor authentication (MFA) to require two components for login. Even in case of password leak or theft, the hackers would still need the MFA to gain access. 
  3. Do not reuse passwords across different accounts. Hackers often try to see if a password found in a leak can be reused elsewhere.
  4. Get company’s official accounts verified for assurance and credibility. Prioritize and get this done as too many fake listings are causing a great loss for the customers. 
  5. If your company is using third-party tools or plugins, routinely review them for any vulnerabilities. A common phenomenon I have encountered during web security audits is that websites hosted using CMS like WordPress, Drupal etc often use the plugins which are integrated for social shares, marketing, analytics etc. If these plugins are not updated, chances are they can be hacked and gain entry into the websites. If your corporate website is hosted separately from the web applications,  the damage is limited. If not this could lead to much serious data breaches.
  6. If you engage third-party agencies, or consultants, ensure you review their security practices and is in line with all the regulatory requirements. Regulators like RBI, SEBI mandate that even the Third-Parties should have the same security practices outlined for regulated entities.
  7. Regularly monitor accounts for any suspicious activity or unauthorized access.
  8. Backup all social media account data regularly to minimize the impact of any security incidents or data loss.
  9. Limit access to social media accounts to only authorized personnel and use role-based access controls. Managing multiple email accounts for social media channels can be challenging sometimes. You can create a distribution list if multiple people log in to the account and then set different passwords.
  10. Consider using social media management tools to help manage and secure accounts more effectively.
  11. If you are a CISO / Security professional for your company, please do spend some time with Marketing and Customer Support teams on they handle these channels with regards to logging in, content review. Please also pay attention on they handle sensitive information shared by customers over these channels.
  12. Create a crisis communication plan to prepare for any potential security incidents, including who to contact, what to do, and how to respond to the public. You can write Standard Operating Procedures on these and share internally so that its easier in the event of a data breach.

Brand verification

Brand Verification is essential to confirm that social accounts truly represent your company. All platforms offer the option for brands to verify their accounts as official. Brand verification provides multiple benefits:

  • Assures customers that they are interacting with official company accounts
  • Adds credibility to information shared through verified accounts
  • Prevents rouge accounts from creating channels using our company name
  • Makes it easier to take down spam and unauthorized accounts

Verification Process Links:

Verification links for popular social media accounts are listed here:

If you found this useful, please like and reshare.

About Me: I help fast growing startups, fintechs and other companies  in the areas of Cyber Security. If you need pragmatic guidance or help in this regard, do not hesitate to get in touch with me: email@vprasanna.com 

Black Friday and Cyber Monday Deals for Cyber Security Tools

Image courtesy: Unsplash

Black Friday and Cyber Monday are around the corner. Over the years, I have bought discounted multi-user, multi-year packs of VPN software, a perpetual license for Shodan, and fancy domain names that are sitting idle (the ideas remained ideas!), Antivirus, WiFi cards, USB devices with encryption and many more.

This is a great time for buying some geeky stuff including security tools and services at discount for yourselves, family, friends and your employees. I have listed some of my favourite stuff that can enhance your cybersecurity posture:

Password Managers

like I mentioned here, I think password managers are still the most underrated tool when it comes to cyber security. We still have not transitioned from “remembering your password” to “passwords are not meant for remembering” mode.

Use the password manager in conjunction with a key or a token and then all you need to remember is just one password and the rest should be in a password manager on system or a browser. If not for a paid one, you can also opt for some good open source ones like Keepass.

If you are on Mac and iPhone, the inbuilt KeyChain acts as a multi-device password manager when used with Safari Browser.

VPNs

One of the first step to minimize your personally identifiable information is to encrypt and route all your traffic through a notable VPN service provider so that your local ISP is blind to your network activities and do not gather information about your browsing habits. Most vendors discount their products during Black Friday / Cyber Monday sales.

Privacy Filters

A gadget like Privacy Filter narrows the viewing angles and prevents shoulder surfing or snooping by others. This is a great addition for the sales and marketing teams and CXOs who are on the road and working out of cafes, airports, and other crowded places.

Hardware MFA tokens

It is been published that hardware MFA tokens (those that comply to the FIDO framework) are phish-resistant. You can popularise these in your offices instead of traditional soft MFAs. If not for all the staff due to pricing concerns, you can limit it to critical folks.

Webcam covers and stickers

I use a simple tape to cover my webcam and there are some stickers with toggle options. However, there were some screen breakage issues on macbooks when using the slightly thicker webcam covers. This even prompted Apple to issue an advisory

Software and Hardware Tools 

I remember having paid a dime for Shodan in one of the black friday deals few years back and its a great tool to get some intel on IP addresses. Similarly, some great hardware tools like Alfa wireless cards, pineapple express pentesting tools also shower great discounts during this time

Do comment and let me know what’s been your best Black Friday or Cyber Monday purchase. I have added few data privacy tools like onedelete, onerep, wearables in the forked repo:

https://github.com/gravityfuel/InfoSec-Black-Friday/

#blackfriday #cybermonday #blackfridaycybersecuritydeals #cybersecuritydeals #cyberweek #cyberdeals