How We’re Building a World-Class Security Program at RegScale — And Why I Joined

When I first came across the job posting for the Information System Security Officer (ISSO) role at RegScale in May 2024, something clicked. After more than 20 years working as a Systems Administrator, I had transitioned into cybersecurity in 2019. I was looking for a place where I could bring all of that experience together. 

As I started researching RegScale, its mission, and its product, I realized it wasn’t just another compliance platform. It was a company with the power to transform how organizations approach security, automation, and compliance at scale. I fell in love with the ethos: automate the hard stuff, empower people to focus on what matters, and scale security as fast as innovation itself. 

From Day One: Building on Strength 

My first major milestone at RegScale was renewing our SOC 2 Type 2 certification for 2024. In a typical manual environment ruled by spreadsheets and paperwork, it can be very resource-intensive to expand to a continuous monitoring program for SOC 2 Type 2. It requires continuous evidence gathering, controls assessment, issues remediation, and documentation updates — not to mention reporting and fielding requests from auditors. Altogether, an initial SOC 2 Type 2 takes at least 400 hours of manual effort, which is a major challenge for smaller companies. 

Luckily, we had a solution. Building off our initial SOC 2 Type 1 certification and leveraging our own Continuous Controls Monitoring (CCM) platform, we were able to implement automated evidence collection, readiness assessments, and remediation tools as well as real-time status updates. 

As a result, we were able to reduce our SOC 2 Type 2 audit preparation time by 94%, compressing nearly 400 hours of manual work into less than 25 hours. 

The next big win was achieving our FedRAMP High Approved status at half the cost and 3-4 times faster than the industry average. Once again, we used our own CCM platform to tackle the problem of slow, manual certification. 

Leveraging our AI Author feature, we drafted control implementation statements that were already 80-85% complete from the start, letting us skip the initial writing stages and jump straight to final editing. We also used AI Author to view in a single pane of glass our existing implementation statements and documentation gaps. Additionally, we used one-click exports to generate FedRAMP artifacts and packages in the required formats. 

The outcome of all this automation? We received our FedRAMP High ATO in just 6 months and at 50% of the average cost. We also wrote a package of 410 controls in just 2 weeks, a feat that normally takes 12-16 weeks — and we accomplished it all with just 3 security experts instead of the 8-10 employees it would normally require. 

This wasn’t just another certification; it was proof that RegScale could meet the strictest federal security standards, a huge leap for a company at our stage. 

Raising the Bar with CSA 

Not long after, we set our sights on the Cloud Security Alliance’s Security, Trust, Assurance and Risk program (CSA STAR). In November 2024, we became a Trusted Cloud Provider in the STAR program, which strongly validated our cloud security capabilities. To achieve that Trusted Cloud Provider designation and be listed in the STAR Registry, we had to demonstrate our third-party validated security practices, our enhanced trust and reliability in cloud ops, and our compliance with the CSA’s rigorous standards.  

More recently, we became one of only a handful of companies to successfully complete the CSA STAR Valid-AI-ted certification. And we didn’t just pass; we earned the highest score CSA had awarded to date: 97.7%.  

That score reflects the hard work, collaboration, and culture of security we’ve built here. Every engineer, every leader, and every teammate contributed. For me, it was proof that our security program wasn’t just keeping up; it was leading the way. 

Security as a growth engine — and its future at RegScale 

What excites me most about RegScale’s security journey is that none of this is about “checking the box.” We’re building a security program that scales with our business, accelerates our growth, and helps our customers meet their own missions. Security here isn’t a cost center; it’s a growth engine, a trust enabler, and a competitive advantage.  

From SOC 2 to FedRAMP, these milestones are just the beginning. Security threats evolve, standards evolve, and so will we. Next up? Our Cybersecurity Maturity Model Certification (CMMC) and DoD IL5.  More broadly, my focus is on staying ahead, driving automation, and embedding security deeper into our culture and our platform. 

At RegScale, security isn’t just something we do for compliance. It’s who we are. And that’s why I’m here.