How System1 manages disparate systems after M&A activity and streamlined SOX audits

Tackling security and compliance post-IPO

System1 is a leading customer acquisition marketing company. Through their proprietary platform called RAMP – which stands for Responsive Acquisition Marketing Platform – System1 delivers high intent customers to advertisers and to the company’s own subscription products.They own and operate over 40 digital properties across publishing, search and applications including MapQuest, HowStuffWorks, and their private search engine, Startpage, among others.

In January 2022, System1 entered a business combination with Protected.net, a developer of security and privacy subscription products based in the United Kingdom. The two companies combined under the name System1 and became a publicly traded company on the New York Stock Exchange (NYSE: SST). While data and identity security were always important to System1, passing SOX audits became an even more urgent priority for the company with their new public listing.

Understanding users, roles, and access across disparate systems

Jack Chen joined System1 in May 2022 as Director of Information Technology and was immediately tasked with finding a way to streamline audit-related processes. Jack and his team were looking for a solution that could quickly deliver value as the company had the goal of becoming SOX compliant by the year’s end.

Jack also knew that the team needed to get better visibility into System1’s many systems. “System1 has gone through acquisitions and with that comes overlapping systems and a lot of complexity.” Jack adds, “As a startup, you want to move fast. So then you end up with SaaS sprawl and a lot of accounts provisioned at the start.” Lacking visibility, there was no easy way to audit and ensure compliance, particularly if a resource was not gated behind an Identity Provider.

Jack, with Muinat Bammeke, GRC Analyst at System1, began evaluating possible solutions. “We had to hit the ground running, seeing as we had a deadline at the end of the year that we needed to achieve,” Jack explained. “Our AWS footprint is pretty big so that integration was critical, along with the ability to integrate with our homegrown apps that sit outside of our IdP.”

During the evaluation process, Jack placed emphasis on security, ease of use, and time to value. Muinat discovered ConductorOne and saw that it offered the quickest deployment, a user friendly dashboard, and supported their most important integrations.

Jack says, “I liked that security was at the core of what ConductorOne has built. The product was simple, clean, and easy to use. I didn’t want something over complicated or that required a lot of configurations to set up and go live.” It took just three weeks to connect ConductorOne with System1’s identity provider and in-scope applications and launch their first user access review campaign.

Achieving SOX compliance with ConductorOne

Jack and his team noticed the benefits of ConductorOne immediately. “Administering user access review campaigns has become painless. It’s foolproof from start to finish.” The ConductorOne team also went above the call of duty, helping with training materials and product walkthroughs for system owners and reviewers. Jack shares, “The ConductorOne team was very responsive and supportive through the whole process. It’s been a great experience.” System1 successfully implemented ConductorOne Access Reviews for their 500+ employees in September 2022.

For Muinat, the speed of implementation particularly stood out. “I was impressed by the fast onboarding process – it was a breeze! The support team is swift to respond and very reliable.”

The System1 team was able to satisfy auditors as well. Throughout the SOX audit process, they were able to provide the right evidence and generate time-stamped reports with ease. Muinat and Jack noted that ConductorOne significantly reduced the time and effort needed to pull data and reports to satisfy auditor requirements and helped to ensure success in compliance audits. “It’s magic,” Muinat says.

Being able to show ConductorOne to internal auditors, where they can generate time-stamped, immutable reports, and see logs in one console, was impressive.”

Jack Chen

Director of Information Technology

Achieving SOX compliance is a table stakes issue for System1. Jack estimates that the company would have had to dedicate several weeks every quarter to prepare for audits. “In previous roles, I’ve seen instances where getting the right data and all the back and forth would take months,” Jack says. By contrast, future user access reviews can be launched in ConductorOne within a day.

System1 has been able to significantly cut down the amount of work they would have had to do manually. “It’s set and forget. The time savings from streamlining manual processes related to compliance is huge,” says Jack.

“With ConductorOne, we’re able to have a single pane of glass to look at our systems – and manage users, roles, and access to those systems – which is a huge win for us.”

Jack Chen

Director of Information Technology

By automating user access reviews and auditor reporting with ConductorOne, System1 has successfully completed its SOX audits and is now shifting its focus to other compliance frameworks.

Beyond SOX: Security and Visibility Across Infrastructure

System1 has been able to integrate many of its infrastructure applications and cloud tools into ConductorOne. “With ConductorOne, we’re able to have a single pane of glass to look at our systems – and manage users, roles, and access to those systems – which is a huge win for us,” says Jack.

Reflecting on the revocations from System1’s first privileged access review with ConductorOne, Jack expressed, “Being able to reduce the number of users with admin access makes it easier to sleep at night.” With ConductorOne, Jack and his team can enforce least privilege for critical systems and ensure that users have access to sensitive data for only as long as they need to complete tasks and projects. This means the company can continue to scale while maintaining a strong security posture.

Looking ahead, Jack and his team are exploring ways to further enhance security around their workforce identities and access without creating barriers to productivity. “Everything I do is with security in mind,” says Jack. “Being able to look at who actually needs access to each system at a certain point in time - reducing manual inputs and having a paper trail we’re able to follow - is critical.”