20th March 2013
Organisations big and small need a collaborative approach to compliance, with affordable entry points and a more agile alternative to managing risk says Richard Hibbert, CEO of SureCloud.
21st century organisations are exposed to increasing levels of cyber threat as corporate boundaries are extended through the increased adoption of ecommerce platforms, the outsourcing of business processes to cloud-based providers, and employees’ use of personal devices and social networks in the workplace. As a result, the number of organisations reporting a security breach is growing all the time.
In response a plethora of information security standards designed to mitigate risks have been introduced. These standards originate from multiple sources – internal governance teams, trading partners and regulatory bodies – as each takes steps to protect their interests. Even though these standards proffer similar practices and procedures, there is no common or unified approach frequently leaving organisations burdened with multiple, overlapping compliance standards. Furthermore, compliance involves many stakeholders: trading partners, regulatory bodies, external auditors, as well as an organisation’s own people such as the compliance, IT and executive teams. As such compliance cannot be viewed as a single internal process; it can be extremely complex, crossing businesses functions, and transcending corporate boundaries and processes, and needs to consider the different interests and objectives of each stakeholder.
Even when it comes to an area driven by regulatory requirements – as Governance, Risk and Compliance (GRC) is – IT spend is kept under careful scrutiny. This creates a recurring problem for most of today’s leading enterprise IT GRC solutions. They are comprehensive in nature and require organisations to adapt internal processes to meet proscriptive software that demands best practice at every level. Their all-or-nothing quality makes it difficult to pilot solutions. Valuable resources are tied up managing multiple point solutions and projects inevitably suffer from lengthy implementation timeframes. And there is a direct correlation between implementation time and the potential for project failure. Another reason for failure is that the software licences are too complicated for what organisations need.
In the absence of automated GRC applications the only real alternative left to IT and compliance teams is to rely on the next best tools for the job – spreadsheets. Spreadsheets are regularly used for such risk assessment activities as asset registers, compliance audits, project planning, risk treatment, records management, 3rd party assurance, user awareness questionnaires, incident responses, gap analysis and management reporting. It is not uncommon to find 100’s if not 1000’s of spreadsheets in circulation between multiple internal and external stakeholders from internal auditors, HR and IT to external auditors, trading partners and suppliers. Process and workflow management, however, tends to be manual rather than automated leading to a scatter-gun approach that is inefficient, labour intensive and complicated. An over-dependence on spreadsheets makes the compliance process extremely time consuming, inefficient and prone to human error. Such inefficiencies have hidden costs and run the risk of delivering results that are not fit for purpose.
SureCloud advocates a collaborative approach to compliance using a Software-as-a-Service model. This approach has key advantages. First, it is much simpler. Immediate compliance goals can be met with a short-term project for just a few thousand pounds rather than having to commit hundreds of thousands to doing everything over a much longer period. Second, starting small and evolving processes to suit specific solutions or use cases over time results in greater agility and considerably reduces the risk of IT GRC project failures. By adhering to four central pillars – agility, accountability, connectivity and scalability – it is possible to automate any IT GRC process. At the heart of the solution are a set of standard template forms – designed in collaboration with hundreds of partners – for all of the key standards that give users the ability to define any input according to fields, lists, formulae or any other type of system object. Single tasks can be built up easily into projects. A central library (with links to SharePoint) stores all documentation and connects to the compliance process. Customer data can either reside within SureCloud or stay on-premise and merely link to the solution. There is a powerful records management facility with granular permissions. Evidence and records can only be approved or removed with the appropriate authorisation allowing organisations to demonstrate their compliance with requisite rules and regulations. Additionally in-built workflows, reports and dashboards help users deliver management and operational information (or they can develop their own if they choose to). Internal and external groups are given access control and the status of their individual input is reflect on the dashboard giving the customer actionable intelligence about they meet compliance, where they do not and where suppliers are posing a risk.
SureCloud is able to point to hundreds of financial, retail and central & local government organisations who are benefiting from its approach. One leading UK debt collection agency is typical. Their clients, comprising leading financial institutions, expect a demonstrable a level of compliance with standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Data Protection Act and ISO27001. The collaborative compliance approach has allowed this customer to consolidate multiple solutions into one platform and gain a clear picture of security status and demonstrable compliance with PCI-DSS. Plus
Information security compliance is designed to help, not hinder. It recognises the significant value of corporate information assets and the need to safeguard them, both for competitive advantage and to protect personal privacy. With a simpler, streamlined approach that enables collaborative working, every touch point in your information value chain can contribute to your information security programmes, ensuring that compliance is achieved, and maintained, in a cost effective manner. Collaborative compliance embraces multiple internal teams and systems, as well as external stakeholders, to bring together the fragmented compliance landscape and streamline IT GRC processes. With SaaS underpinning the delivery and commercial model, collaborative compliance is the way ahead for organisation seeking visibility and control of their information security programmes, at a price point that encourages trial and de-risks enterprise rollouts.
Most organisations today are seriously under-estimating how easy achieving demonstrable compliance can be.