Today CIO’s and CISO’s are faced with the challenge of attaining or maintaining security controls in order to comply with industry standards, regulations or legislation such as PCI DSS, SOX404, Basel II, and/or Data Protection Act. Alternatively they may ‘just’ be attempting to find evidence in compliance with a set of internal risk policies aligned to ISO27001. In a normal business environment complying with regulation is demanding enough, but in a post-credit crunch world of budget cuts the hill is likely to get steeper – more will be needed from less. Downward cost pressure accelerates the need to leverage value-added technical innovations like virtualisation and cloud computing, whilst at the same time maintaining or improving compliance levels.
This article is the first of three in a series to provide advice aimed at helping organizations to structure their compliance program in such a way as to address their immediate needs, and provide the flexibility that organizational and technological change demands without losing control of future compliance levels.
COMPLIANCE AND THE FINISHING LINE
With the plethora of regulation that face businesses these days it’s often difficult to grasp the exact meaning of the actual state of ‘compliance’. This is largely due to the manner in which many standards and laws are worded, combined with technological evolution, making it difficult to know when you have reached a state of being compliant. Faced with this conundrum you turn to your auditors and discover that being compliant often means ‘giving the auditors comfort’ (and auditors rarely feel comfortable!). Worse still, the Board always wants to know the answer to the question “How compliant are we?” and expects some kind of quantitative answer. Without clear baseline standards to measure yourself against it is impossible to answer this question. Therefore, managing the detail is key but difficult.
MAKING THE PAIN STOP
Reaching and staying compliant with any regulation can be a painfully slow process, littered with missed milestones, endless repetitive meetings and frustrated or disappointed senior executives. What started out as cozy Friday morning chats around the CIO’s table rapidly turns into a nightmare of spiraling project costs, complex spreadsheets, questionnaires, status reports and worse still, remediation activity that seems burn capital, yet does not seem to improve the compliance ‘score’. All of which lead to perpetual conversations with the internal auditors about what, exactly, constitutes ‘evidence’ and what the external auditors do or don’t care about. So is there a better way?
STRUCTURING THE PROBLEM
Unlike many traditional technology projects whose scope and ambition diminish over time, compliance initiatives move in the opposite direction. What starts as a small and simple problem becomes bigger and more complex once the true workload required to bridge the gap becomes clear, and in most cases it is something that a single department cannot execute in isolation. It demands a multidisciplinary approach to manage a portfolio of projects and initiatives. Therefore, the first thing that the CIO/CISO should do is appoint a senior program/project manager to oversee the changes necessary, providing the mandate and budget necessary to deliver the desired results.
However, this is just the first step in regard to building structure, as with this In many cases the Compliance Program Manager may have an audit or accounting background, sometimes a project management background, sometimes a general business background, and often an entirely different background altogether. Therefore, it is advisable to consider supplementing the skills of this key individual with some additional knowledge both in terms of content and process did by implementing a purpose-built compliance solution.
SELECTING A COMPLIANCE SOLUTION
In order to reduce the likelihood of ‘death by spreadsheet’ any mid-sized or large business that is about to embark on any serious compliance activity should consider automating the effort of management and governance as much as possible. Such solutions do not make individual issue remediation efforts any easier, but it will make management and governance of the compliance process far more structured and transparent. Several commercial software solutions exist to help in this regard and organizations should select and implement the one that best fits the requirements.