Compliance by default: Prometeia’s strategy for transparency and enduring trust
Prometeia is an award-winning Italian company providing advisory services and software solutions for the financial sector. Rooted in a culture built on quantitative research and forecasting, and driven by the values of trust, independence, and transparency, Prometeia has been at the frontier of risk and wealth management for half a century.
To keep its place at the forefront, Prometeia is now adapting a digital approach to financial services, led by cloud technology and AI.
Key requirements
A context-conscious GRC automation platform to efficiently and transparently manage security risks by integrating IT, security operations, and regulatory compliances, embedded at every organizational level. Supported by the ability to confidently demonstrate security and compliance posture.
Sprinto solution
A proven and flexible GRC automation platform for centrally monitoring and managing security programs, providing in-depth, real-time insights into risk, control performance, and overall compliance posture, powered by capabilities that minimize the effort required for compliance scaling, and helping demonstrate posture with clarity and confidence.
ISO 27001
SOC 2
ISO 27017
ISO 27018
ISO 27701
Italy
10+ Frameworks
activated and managed
4+ Audits
managed simultaneously
90% Reduction
in compliance efforts
Ready to get started?
The Challenge – Building trust through transparency
For Prometeia, an advisory and software solutions company at the frontier of the financial market for over half a century, cloud is a core SaaS enabler.
However, in today’s rapidly evolving landscape, the cloud brings both rain and shine. The integration of cloud technology creates new opportunities but also new attack surfaces and an entire encyclopedia of risks. The risks and opportunities associated with AI technology are much the same.
With trust being a north star at Prometeia, it became increasingly important to secure IT infrastructure, including cloud assets, and improve operational resilience by enhancing overall focus on risk management and making compliance with top-tier security programs the default state.
This meant integrating Prometeia’s key digital drivers – IT infrastructure, security operations, and regulatory compliance – deeply into the organization’s operations to be able to stay on top of any deviations – systemic risks and compliance risks in particular – and respond better, and faster.
In practice, this involved designing and embedding an “always-on” security program so that proactive risk management and compliance monitoring are not optional but essential pillars of their cloud and AI strategy.
Having compared traditional approaches to GRC management with automated platforms and given the multiple layers of technological orchestration required to achieve compliance, Prometeia had little doubt about adopting a platform-based approach to achieving its goals.
Transparency is a guiding value at Prometeia. This means accountability internally and open communication with clients and partners. We wanted to redesign our compliance practice around this, to build trust throughout the organization and the market at large.
Flexibility, Automation, and 360° Visibility: Choosing the right GRC platform
Alessio Panni, Prometeia’s Partner Head of the Cloud & Platforms division, was tasked with taking the lead on designing Prometeia’s new cohesive trust program primarily for its SaaS business journey.
Joining forces with the heads of security compliance and IT risk, Alessio began exploring GRC platforms that could help embed pillars of trust and transparency into operations across Prometeia.
During the evaluation phase, Alessio was also keenly aware of the need to ‘demonstrate’ trust. “The market needs a third party to vouch for you, and certification is a good way to go about this,” he remarks.
Prometeia’s previous approach to compliance was admittedly traditional. They were already ISO 27001 certified and had built up a strong internal IT function, but still relied on consultants for certification renewals. The biggest challenge however was visibility as Prometeia needed to ensure clear accountability in security operations while maintaining a near real-time picture of what was happening.
“We need stability, automation, and efficiency in our internal processes especially in the run phase, without impacting agility, innovation, and the time to market of our SaaS offer,” Alessio says.
This proved to be a struggle especially during recertification, making an automated approach attractive to Alessio and the Prometeia team. But this wasn’t the only criterion they evaluated on their hunt for the right compliance automation platform.
- Context-consciousness: Prometeia wanted to manage GRC programs, regulatory compliance in particular, within their unique context, with the requisite integrations to ensure total cloud asset coverage.
- Scalability: A unified scheme to support and manage multiple regulatory frameworks in parallel was a must-have.
- Flexibility: Since Prometeia was not originally digital-first, the organization needed a seamless way to transition and transform capabilities as per new business needs.
- Demonstrability: A Trust Center and similar capabilities, to provably demonstrate state of risks, compliance, and security posture was crucial for Prometeia given their industry segment.
- Efficiency: Filling out security questionnaires and balancing costs was a pressing challenge, making efficiency the need of the hour.
- Openness: Finally, since transparency is a guiding value at Prometeia, they expected the same from their GRC vendor. They explicitly looked for a platform that provided the implementation support and direction required for a seamless transition.
Having evaluated 5-6 GRC platforms along these criteria, Prometeia selected Sprinto after doing a guided pilot to build comfort and establish value.
Agility and flexibility were key elements we carefully looked at during the selection of the technology partner, and then tested during the pilot phase. We are very happy to have found them in Sprinto.
The Solution – Centralized, automated compliance for improved accountability, visibility, and efficiency
Prometeia’s goal for 2023 was to future-proof the business. This meant staying relevant to the market by building the capabilities to demonstrate trust and get compliances in shape by the end of 2024.
Additionally, with Prometeia’s ISO 27001 certification audit approaching in 6-7 months from starting with Sprinto, Alessio was keen on leveraging the platform’s automation to prepare for and run both ISO and SOC 2 audits. Depending on how well these went, DORA was next in line for Prometeia.
Consequently, reducing audit preparation time and maintaining operational velocity became key metrics for the organization’s engagement.
With Sprinto, Prometeia took two months to integrate the platform fully into its unique cloud environment.
These two months also involved uploading and organizing policies, integrating IDP (Identity Provisioning) and setting up built-in MDM (Mobile Device Management), linking controls to relevant risk thresholds for assets, transferring control and evidence histories to Sprinto, building a clear roadmap of control gaps, and doing the work to close these gaps.
Sprinto’s responsive native integrations were pivotal in bringing near real-time visibility into Prometeia’s security assets, painting a vivid picture of security infrastructure, and helping better manage critical systems. This transparency quickly brought pressing compliance issues to the fore so they could be addressed instantly.
Traceable efficiency through automation
Having completed Sprinto’s integration, Prometeia could lean on automation to start monitoring its technical landscape, including two software production lines, their cloud operations unit, the corporate functions of internal IT and the CISO office, two of their hyperscale cloud providers, and the entirety of their internal IT infrastructure.
Automation was a major value driver for Prometeia. Since the organization already had many compliance pieces in place, automation could play the role of connective tissue – helping string together assets, processes, controls, and tests and producing compliance evidence without the hassle.
“Continuous monitoring helps from day one. It connects all the pieces and helps delegate tasks to specific roles and accounts without losing track or control. When it comes to applying compliance principles, automation is a gamechanger,” says Alessio.
Automation served to lower investment at Prometeia without affecting efficiency and built a common process around compliance. More critically, automation helped further cement Prometeia’s core values of Trust, Independence, and Transparency into its operations.
Alessio provides an example to illustrate: “Continuous compliance monitoring and reporting has helped build and strengthen relationships at Prometeia. The platform is a source of truth for compliance and makes the subjective more objective. This way people know when something’s amiss and what to do. The sheer number of checks Sprinto runs helps us trust the platform, and the visibility it provides builds transparency. When people are on the same level about compliance, they can have more meaningful conversations. Sprinto has massively improved our inter-team communications, and teams can function with greater independence thanks to confidence in the platform and what it tells us.”
With Sprinto’s automation running the day-to-day housekeeping at Prometeia, Alessio and his team were able to re-design the compliance function to instill compliance by default into Prometeia’s operations.
We saved a large number of hours and effort in building a picture of our assets and practices. We were able to rapidly implement actions to fill compliance gaps and could immediately monitor operational adherence over time.
The Results – Clear accountability, improved visibility, increased confidence
Prometeia successfully activated 10+ frameworks on Sprinto leveraging Sprinto’s Common Controls Framework (CCF) to right-size their management efforts and reorient focus.
Enabled by CCF, Prometeia eliminated duplicate controls and reduced the total number of controls that needed active monitoring across compliances from over 1500 to around 130.
Internally, Alessio and his team leaned on Sprinto’s automation to build a structured and benchmarked approach to compliance marked by standardized processes. This helped preserve cloud security posture with zero disruptions and very low maintenance cost and effort. As a secondary benefit, it also improved pre- and post-sales engagements.
Sprinto also helped instrument a centralized governance practice by easing knowledge sharing between functions and providing a real-time lens into security at every level. With this visibility came confidence, and with confidence came client trust.
After 6-8 months with Sprinto, Prometeia successfully renewed their ISO 27001 certification, extended to ISO 27017 and ISO 27018, completed ISO 27701 certification, and completed a SOC 2 audit.
Having built operations that are security-conscious and compliant by default, Prometeia is now working on ISO 22301 and CSA STAR certifications, confident of audit success.
Sprinto helped us get a running start on our trust and transparency goals by integrating technical prowess and transparent governance into how we manage risk, security programs, and regulatory compliances. We are confident this value will be even higher over the next years of maintenance and evolution.