By Sharon Smith
Compliance – Is It Really Such a Bad Word?Compliance – Is It Really Such a Bad Word? https://c-suitenetwork.com/advisors/wp-content/themes/csadvisore/images/empty/thumbnail.jpg 150 150 Sharon Smith https://secure.gravatar.com/avatar/747c8ddcd9fe6d17ec63330cf266a7d2?s=96&d=mm&r=g
Does the word compliance make your skin crawl, send shivers down your spin, and make you want to run for the hills? It seems to do that to everyone I talk to, and therefore, I want to change the story and tell you why compliance, when viewed through a different filter can be the catalyst your organization needs in order improve its security posture.
There are so many compliance regulations, both government-mandated and industry-mandated, it is hard to find an organization that does not have at least one acronym they have to be complaint with. Whether it is HIPAA, PCI, FFIEC, FEDramp, DIACAP, NIST-171, GLBA, NYCRR 500, FISMA, SOX, GDPR, etc., there is a better-than-good chance you are on the hook for at least one of them. And why has this happened? It’s because when left to their own devices, organizations in just about every industry are not taking security seriously and data breaches continue to get bigger and bigger, affecting more people, costing millions and billions of dollars. Depending on the industry even putting lives in danger.
Some of these regulations can literally put you out of business if you fail to comply and even with that threat people call me saying they need to be compliant in the next three weeks. Instead of creating and maintaining an ongoing compliance program they say what do I need to do to be compliant and avoid the fine? Oh yeah, and it needs to be done in the next three weeks.” They are looking to meet the bare minimum standard, check a box and move on and that is when compliance feels dirty and doesn’t solve the problems it was setup to solve.
The reason compliance feels like a four letter word and makes most people cringe is the way that it is commonly handled.
Smaller organizations often don’t have the staff to properly secure their networks and data and have often outsourced everything technology related to a third party vendor. They are in “fire and forget” mode, meaning that as long as the systems are running and nothing strange happens, they figure everything is fine and they don’t discuss security or compliance with their vendor. The challenge with this model is that security is being left up to a third party and unless you are paying extra for a secure solution, most of the time the vendor is not providing much if any security solutions. It’s only when the organization finds themselves on the hook for compliance that they start asking their vendor the security questions they should have been asking from day one. As a result the compliance requirement helps drive their security going forward. If you are a small business who has outsourced your IT to a third party, I strongly recommend having the security conversation early in the relationship, preferably before hiring them.
Even large organizations who have a security team and a large IT department do not approach security in a systematic or strategic way and they also get complacent. The mentality from executive leadership seems to be that as long as everything is working and they don’t hear of any problems, then everything is okay and they don’t have to spend money on security. But is it okay? There are reports that indicate 50% of organizations will fall victim to some sort of breach and only half of those organizations will even realize it. As we often say in the security business, it’s not about if you are breached; it’s about when and whether you will even know about it or be able to respond. It is compliance for these organizations that is often how security teams and technology groups are able to get the budget they need for security.
Regardless of the size of your organization or the industry you are in, when compliance is viewed as an annual audit, which is how many people view it, and someone in the IT department or worse in the Finance department is told they are responsible for ensuring the compliance work is done on time in order to avoid any fines or penalties, it leaves a bad taste in everyone’s mouth. This type of attitude results in everyone spending the next two months working around the clock to validate compliance and do their day job.
Once you realize that compliance is never an annual audit or a one-and-done effort; rather it is an ongoing program that has to be built into daily operational procedures it can stop feeling like a fire you have to keep putting out. During the process of ongoing compliance you are improving the security and longevity of your organization and protecting in some cases the health and livelihood of your customers.
Of course post-breach remediation lights a fire under everyone’s ass to get their security up to par, and as such it’s as compelling a motivator as you can get, but it’s also the worst possible motivator to face and why compliance should be seen as a good thing rather than a bad word. Not only does compliance provide the necessary budget and attention you need for your organization, it provides a systematic approach that can make implementing security more manageable so that you don’t have to face the post-breach clean-up, lawsuits, brand damage, etc.
When the story changes and compliance is viewed as a business driver, something that leads to a better competitive advantage, and everyone’s responsibility, it does not have to be so hard or “dirty.” When you have the right resources, whether internal or external, to help you set it up correctly from the start, teach the organization what it means, why it’s important, and why their role matters, it become manageable.
If you are in business to stay in business and grow, security matters, and you will want to embrace compliance as a driver. As a consultant in this arena I work with a lot of clients where I come out knowing that they have made a real difference in their security posture and their future growth.
If you have questions about compliance or want to discuss strategies for making it easier, email firstname.lastname@example.org. If you don’t have a security team and want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security and compliance posture reach out so we can talk in more detail.