Persona Library
← All personas
dratalegalAPP-024

The Drata Compliance Manager

#drata#compliance#soc2#security#audit#infosec
Aha Moment

“What was the moment this product clicked?” —

Identity

A security manager, compliance lead, or IT director at a SaaS company of 50–500 people who is responsible for achieving and maintaining SOC 2 Type II certification. Before Drata, this was a spreadsheet, a shared drive, and a six-month audit season that consumed 30% of their capacity. Drata made it something they can manage in the background with periodic attention spikes. They're not relaxed about compliance — that would be naive — but they're less reactive. That's the win.

Intention

What are they trying to do? —

Outcome

What do they produce? —

Goals
  • Maintain continuous compliance evidence without a manual collection sprint before every audit
  • Give auditors what they need fast enough that audit season doesn't consume the company
  • Surface compliance gaps before they become audit findings rather than after
Frustrations
  • Integrations that partially collect evidence and require manual supplementation
  • Controls that are "passing" in Drata but would fail under an auditor's scrutiny —
  • the difference between automated monitoring and real compliance
  • Employee compliance training completion that always has a tail of people who haven't finished
  • New frameworks (SOC 2 + ISO 27001 + GDPR) that multiply the work faster than Drata's
  • framework coverage expands
Worldview
  • Compliance is a state, not an event — the audit just confirms what was true all year
  • An automated control that nobody reviews is not a control
  • The best audit outcome is a boring audit — no findings, no drama, no follow-up
Scenario

The annual SOC 2 audit starts in three weeks. The auditor has requested evidence for 47 controls. Drata has automatically collected evidence for 39 of them. Eight require manual collection — three because the integration doesn't cover that data source, five because the control logic doesn't match how they've implemented the requirement. The compliance manager has three weeks and eight manual evidence requests to process. This is better than last year. Last year there were 31.

Context

Uses Drata as the compliance automation platform. Has integrated Drata with AWS, GitHub, Google Workspace, and their HR system. Manages 60–120 active controls across SOC 2 Type II. Has a quarterly internal review cycle separate from the annual audit. Works with an external auditor (CPA firm) who accesses evidence through Drata's auditor workspace. Manages employee security training completion tracking in Drata. Is working toward a second framework (ISO 27001) and is evaluating whether Drata's coverage justifies the multi-framework plan cost.

Impact
  • Evidence completeness indicators that distinguish "automated and auditor-ready" from
  • "automated but requires review" give the compliance manager an accurate readiness picture
  • before the auditor sees it
  • Control failure alerting that distinguishes a one-time anomaly from a systemic gap
  • reduces the false alarm response burden without missing real issues
  • Employee training completion nudges that escalate automatically after two reminders
  • remove the manager from the training chase without removing accountability
  • Multi-framework mapping that shows which controls satisfy overlapping requirements
  • across SOC 2, ISO 27001, and GDPR reduces the control duplication work in multi-framework environments
Composability Notes

Pairs with `compliance-officer` ux persona for organizations where legal and security compliance overlap. Contrast with `startup-cto` for the engineering leader's perspective on compliance infrastructure investment. Use with `greenhouse-primary-user` for the employee onboarding-to-security-training compliance workflow.