Reasons for attending and key challenges
Participants were asked to outline their reason for attending and the key challenge faced by their organization. They brought with them a range of expertise, including in global security, data security and privacy, data networks, global applications and connected services, and cyber risk and compliance.
The organizations represented were at different stages of the IT compliance journey, with one attendee noting that they wanted to understand what requirements were out there and another noting that their organization had been striving for IT compliance for years yet we’re still looking for ways to be more proactive and less reactive.
Some key challenges raised were improving compliance without necessarily hiring more employees, securing business buy-in, the ‘security debt’ accrued in the wake of the swift and potentially incautious transition to remote working during the pandemic, and achieving continuous assurance.
Setting up a regulatory compliance program to establish and deploy key technical and security controls
Craig cited the example of Sky Betting’s acquisition by the Stars Group, an American company, which resulted in the need to achieve SOC compliance. In an organization defined by its pace and agility, the unprecedented focus on scrutiny and rigour had brought about a culture shock. The business had been required to understand its key business processes and subsequently apply IT general controls to its systems.
Similarly, another attendee noted the challenge of having a parent organization that has a different level of compliance maturity. Moreover, the point was made that when bidding for work with larger corporations, it can be a commercial advantage for a smaller company to demonstrate compliance with regulations.
Many attendees stated that they were dealing with multiple regulations, such as SOC, GDPR and PCR, noting that in a global context, there can be competing regulations between regional offices, which makes the compliance landscape harder to navigate.
The point was made that compliance does not always stem from legal requirements. For instance, one attendee from a housing association noted that their organization has a lot of assets and data, so in addition to complying with legal regulations, it is important to de-risk by changing organizational culture. Having ‘security champions’ was mentioned as an effective tool for involving employees in a wider conversation about risk and security, with the ultimate goal of raising awareness and changing behaviours.