Obsidian Security scales compliance program with A-LIGN and Drata

by: A-LIGN 5 min

resource feature Obsidian 1 0

Obsidian Security is a market leader in comprehensive SaaS security, specializing in threat management integration, third party risk, security posture and configuration, and compliance.

Founded in 2017 with a mission to make the impact of SaaS breaches a thing of the past, Obsidian simplifies SaaS security for major applications including Microsoft 365, Google Workspace, Workday, Salesforce, and more.

By leveraging the power of audit expertise and automation, Obsidian was able to achieve SOC 2, ISO 27001, and ISO 27701 compliance excellence with A-LIGN and Drata.

The challenge: Building and scaling Obsidian’s compliance program

Obsidian’s path towards creating a robust security program started when the team only had 15 employees and a tight budget. Although they were a small team, Obsidian secured business from multinational, highly regulated customers with complex security needs.

The company reached a point of inflection where they needed to scale their compliance program and meet the growing demands of their enterprise customers. With their sights set on obtaining a SOC 2 report, Obsidian looked for an audit partner to help them meet their compliance goals.

During their search for an experienced and cost-effective assessor, Obsidian considered their options, ranging from large-scale accounting firms to small, boutique practices. When the team deliberated on working with a large firm, they were concerned about receiving a low-quality, rubber-stamp audit report that didn’t effectively showcase their dedication to security.

We have a very strong security DNA at the company. We decided very early on that it was critical to establish a robust security and governance program. We wanted to use our program to manage enterprise risk for the company and the product, but also to establish trust with our customers and in the marketplace.

Alfredo Hickman

CISO

Not only was receiving a high-quality report essential for Obsidian, but they also wanted to adequately manage their GRC program. They searched for a solution to effectively manage risk while also delivering the requirements of customers, auditors, and regulators.

The solution:  A world-class audit experience powered by expertise and automation

Obsidian sought a high-quality report and efficient audit process, driven by a partnership focused on continual improvement. Ultimately, Obsidian chose to engage with A-LIGN and Drata for their audit and GRC requirements.

Obsidian has implemented a robust third-party risk management program, which involves thorough scrutiny of attestation reports from various companies, so their team has ample knowledge on what makes a trusted high-quality, robust audit report.

Of all the assessors’ reports, Alfredo said A-LIGN’s stands out for its well-structured and comprehensive nature, particularly in assessing performance and coverage of controls. The detailed report assures customers and prospects of proper due diligence and fosters trust with other key stakeholders.

Obsidian also appreciated the personalized attention from A-LIGN’s engagement managers, the responsiveness of fieldwork auditors, and the transparency throughout the preparation and report drafting stages, including the QA process.

In their pursuit of supporting the demands of their GRC program, Obsidian utilized Drata as a solution to leverage people, processes, and technology for scalable operations.

The value proposition of having an audit partner like A-LIGN at the strategic level and having a partner like Drata at the technical and operational level is that you can streamline the entire audit process.

Alfredo Hickman

CISO

Looking ahead, Obsidian eagerly anticipates further evolution in their partnership, aiming to incorporate more automation and continually streamline processes over time. Obsidian, A-LIGN, and Drata can continuously improve processes together and strive towards compliance excellence.

About Obsidian Security

Obsidian Security is the premier security solution designed to drastically reduce the attack surface area of SaaS applications by 80% on average. With contextual user activity data, configuration posture, and a rich understanding of 3rd party integrations in SaaS, the Obsidian platform reduces incident response times by 10x and streamlines compliance with internal policies and industry regulations. Notable Fortune 500 companies trust Obsidian Security to secure SaaS applications, such as Salesforce, GitHub, ServiceNow, Workday, and Atlassian. Headquartered in Southern California, Obsidian Security is a privately held company backed by Menlo Ventures, Norwest Venture Partners, Greylock Partners, IVP, GV, and Wing. For more information, visit www.obsidiansecurity.com.