What if your next ISO 27001 audit required almost no preparation?
That’s exactly how Lemuel Valdez, CISO at Cobham Satcom, approaches security.
Instead of scrambling to collect evidence before an audit, he builds systems where audit readiness is simply a byproduct of everyday work.
“Controls, risk approvals, documents and evidence are linked in a system that works. Audit work cannot exist as a separate scramble.”
That’s the essence of frictionless security management.
Watch the full interview with Lemuel Valdez in our YouTube channel:
Stop treating compliance as a separate project
Many organizations still manage risk and compliance in dedicated GRC tools that sit outside the engineering workflow. The result?
Engineers keep working in Jira.
Security teams work somewhere else.
Audits become detective work.
Lemuel chose a different approach: bring compliance directly into Jira, where engineering already happens.
“When security lives inside existing workflows, people don’t have to change how they work – they simply work more securely.”
Traceability beats paperwork
For Lemuel, every security process starts with one design principle:
Traceability
An auditor should be able to start from a risk or requirement and follow the complete chain:
the decision,
the mitigation,
the approval,
the implementation,
the evidence.
No screenshots. No spreadsheets. No hunting through emails.
Everything already exists because it’s part of the workflow.
Security people understand controls. Engineers understand risk.
One of the most interesting insights from the conversation was that awareness isn’t built by teaching controls.
It’s built by explaining risk.
Engineers don’t necessarily care about compliance frameworks. They care about understanding why a change matters to their product, their project, and ultimately the business.
By linking risks directly to Jira issues and engineering tasks, security becomes relevant instead of abstract.
Use the tools people already love
When asked why he embedded risk management directly into Jira with SoftComply Risk Manager Plus app, Lemuel’s answer was refreshingly practical:
“Look at what you already have.”
Organizations spend years building habits around tools like Jira and Confluence. Replacing those habits creates resistance.
Building security into them creates adoption.
Instead of asking engineers to visit yet another system, risk management becomes just another part of delivering software.
Dashboards people actually use
Different people need different views of risk.
Executives want strategic risks.
Finance wants financial exposure.
Engineering wants actionable tasks.
By keeping everything connected inside Jira, live dashboards automatically show the information each audience needs – without manually preparing reports or PowerPoint slides before every meeting.
AI is helpful but it should not be in charge
The interview also touched on AI.
Lemuel uses AI to improve risk descriptions, suggest mitigation tasks and identify related work items, making it easier for teams to document and manage risks.
But there’s one rule that never changes:
Humans stay accountable.
AI should support decisions, not make them. Structured data, clear ownership and human review remain essential – especially in regulated industries.
The biggest lesson? Start where you are.
Perhaps the strongest takeaway from the entire conversation wasn’t about technology at all.
It was about culture.
Rather than replacing everything, successful CISOs look at the organization they already have, identify the easy wins, and gradually embed security into existing ways of working.
The result?
Cobham Satcom achieved ISO 27001 certification with zero major and zero minor findings after roughly six months – not because they prepared harder for the audit, but because the organization was already working that way.
Frictionless security isn’t about adding more process.
It’s about making secure, compliant behaviour the easiest way for people to get their work done.