Do You Need a Cybersecurity Compliance Tool?

Published on 20th March 2025 Author: Rob Black

I got an email the other day from QuickBooks, our accounting system provider. They were thanking me for our recent payment.

I wasn’t sure what they were referring to, so I asked Brad, our VP of Business Operations, if that was our annual fee.

He said, “No, that’s our monthly fee.”

Yikes. When I started Fractional CISO, we were paying something like eight dollars a month. This invoice was dozens of times larger.

Granted, we were much smaller then and prices have gone up in recent years. Even so, I was kind of shocked.

But the reality is, here in 2025 and whether it’s QuickBooks or something else, working with an online accounting system of some type is necessary. Running a business with a homemade Excel spreadsheet or (gulp) a paper ledger is no longer an option.

Everything – banks, payment systems, payroll, accounting – is intertwined. Anything more ambitious than the neighborhood lemonade stand (and I’m sure even some of those accept credit cards) is now digital and online.

Today’s Tools Are Like QuickBooks Circa 1995

Clients often ask whether they need a compliance tool for their cybersecurity. In most cases, they probably do not.

The problem is that today’s tools are not nearly as useful as their accounting counterparts. That’s partly because accounting has set-in-stone standards. There are only so many ways things can be done.

It’s also because cybersecurity tools are decades – okay, centuries – behind accounting tools. Yes, they can do some very basic things and they may save you some time here and there. But for the most part, they are still super-immature and lacking many necessary features.

That’s why a majority of our clients do not use one of these systems. Instead, most use Google Drive or Microsoft 365 to store and share the information with their team. Typically, that includes things like vendors, policies, risk assessments, evidence for their audit, summaries of the incident response tabletop exercises, off-boarding documents for former employees, etc.

What Should a Cybersecurity Compliance Tool Include?

For a cybersecurity tool to check all the necessary boxes, here are the kinds of things you would expect…

Dashboard data from other systems. MDM, EDR, vulnerability management, cloud provider security tool, etc. This provides a single location for viewing the status of your cybersecurity program.

Automated evidence collection. This can possibly save time once set up, however setting it up and maintaining it can be tricky. Plus, you’d want it to be comprehensive across all your cloud instances. For example, if you have 10 of these but automate data collection from just five, have you actually saved time or simply given yourself a false sense of security?

Vendor management. Most small and medium companies have tens, even hundreds, of vendors. This provides a central management point: documentation about who owns which system; vendor evaluation history; contract requirements by vendor; etc. Vendor management can be a powerful tool for evaluation and continued reminders to push on vendors.

Document management. Whether it is managing policies, internal audit reports, or other evidence from past evaluations, these tools should have streamlined ways to store the information. When a new person comes onto the security and compliance team, it provides a one-stop-shop for all information needed.

Risk management. As companies perform risk assessments, this would track their decisions and open issues.

Audit management. These tools should hold onto cybersecurity controls and the evidence tied to these controls, and be able to share the information with auditors.

This isn’t a complete list, but you get the idea. And while today’s tools can perform most of these functions, only a small percentage are done well. (It’s as if your accounting package allowed you to store your expenses but not your revenue.)

We Are Not There Yet

As to whether your business should step up to one of these tools, it’s largely a question of whether managing them will save you enough time to make the effort worthwhile. For most small and medium businesses, the answer is still no.

Do I think this will always be the case? Definitely not. Eventually, given enough customer input and time, some vendors will make a robust tool that allows for complete management of a cybersecurity and compliance program.

But for now, the use case is not compelling. By going without, you are not outside the mainstream. Spreadsheets and other homegrown solutions are still required.

Enjoy your lemonade.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).