Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Compliance Management, GRC

Moving From Reactive To Proactive IT Compliance: Enabling Business Buy-In And Effective Engagement

Moving From Reactive To Proactive IT Compliance: Enabling Business Buy-In And Effective Engagement
Written by

Matthew Davies

Published on

20 Jul 2021

Moving From Reactive To Proactive IT Compliance: Enabling Business Buy-In And Effective Engagement


On April 27, 2021, Noord hosted a virtual boardroom in association with SureCloud. The event comprised an introduction by Craig Connolly, Head of Technology GRC (UK & Ireland Division) at Flutter Entertainment Plc, and Matthew Davies, Senior Director, Product Management at SureCloud, followed by a discussion among senior IT professions on ensuring proactive IT compliance.

Opening of the session

Matthew Davies kicked off the session by touching on the key challenges IT compliance professionals face today. These include making sure business is done as quickly as possible without compromising on security; ensuring organizations understand their compliance obligation and see the value of IT compliance and security; and tackling the ever-increasing number of intersecting IT and privacy compliance requirements.

Craig Connolly then briefly touched on his professional experience, having started in technical auditing, and working in financial services before moving into GRC in the betting sector.

Reasons for attending and key challenges

Participants were asked to outline their reason for attending and the key challenge faced by their organization. They brought with them a range of expertise, including in global security, data security and privacy, data networks, global applications and connected services, and cyber risk and compliance.

The organizations represented were at different stages of the IT compliance journey, with one attendee noting that they wanted to understand what requirements were out there and another noting that their organization had been striving for IT compliance for years yet we’re still looking for ways to be more proactive and less reactive.

Some key challenges raised were improving compliance without necessarily hiring more employees, securing business buy-in, the ‘security debt’ accrued in the wake of the swift and potentially incautious transition to remote working during the pandemic, and achieving continuous assurance.

Setting up a regulatory compliance program to establish and deploy key technical and security controls

Craig cited the example of Sky Betting’s acquisition by the Stars Group, an American company, which resulted in the need to achieve SOC compliance. In an organization defined by its pace and agility, the unprecedented focus on scrutiny and rigour had brought about a culture shock. The business had been required to understand its key business processes and subsequently apply IT general controls to its systems.

Similarly, another attendee noted the challenge of having a parent organization that has a different level of compliance maturity. Moreover, the point was made that when bidding for work with larger corporations, it can be a commercial advantage for a smaller company to demonstrate compliance with regulations.

Many attendees stated that they were dealing with multiple regulations, such as SOC, GDPR and PCR, noting that in a global context, there can be competing regulations between regional offices, which makes the compliance landscape harder to navigate.

The point was made that compliance does not always stem from legal requirements. For instance, one attendee from a housing association noted that their organization has a lot of assets and data, so in addition to complying with legal regulations, it is important to de-risk by changing organizational culture. Having ‘security champions’ was mentioned as an effective tool for involving employees in a wider conversation about risk and security, with the ultimate goal of raising awareness and changing behaviours.

Managing and rolling out multiple compliance workstreams in a complex organization

Under this topic, one attendee noted that employees quickly get ‘compliance fatigue’ when they feel plagued by the same questions for different regulations, which caused greater proactive disengagement. The ideal scenario is to avoid duplication and streamline questions into one survey.

Picking up on this idea, another participant noted that their organization had merged their IT control framework and privacy control framework into a single document and had developed a sensible schedule to test all the controls, with some more crucial controls being subject to more regular testing.

Craig then mentioned the idea of a self-attestation model for controls, which his company had adopted to create a robust, evidence-based control environment whereby risk and control owners self-report on the controls for the specific assets they are responsible for.

Matthew mentioned the unified compliance framework and the secure control framework, noting that companies often find the latter a useful starting point as it provides implementation guidance and examples of immature and mature controls.

Exploring active compliance

Participants briefly discussed active compliance, with Craig noting that his organization tended to rely on second and third-line assurance teams as an indicator of control health, although some automation has been introduced to the audit testing process in terms of how evidence is collated from certain systems. However, continuous assurance was still very much an objective rather than a reality.

This sentiment was echoed by one participant who noted that as it was difficult to say what continuous assurance would look like, it was difficult to make executive decisions in this area.

Adding to this, Matthew noted that one of SureCloud’s clients had built a bot to automate compliance in a few critical areas, but that it was difficult to make sense of the data the tool retrieved as it was not presented in a standardized way.

Ensuring you are taking the organization along with you on the IT compliance journey

The point was made that employees will always push back on change if they can’t see a direct benefit to doing something – especially if the control in question is far removed from the business process it supports.

Craig noted that the self-assessment protocols his organization had implemented impelled control leads to report weaknesses rather than sweep them under the carpet, helping to foster a culture of accountability. The relevant employees can then seek guidance and develop action plans to ensure that such issues are resolved in time for live audits.

Similarly, another participant mentioned the importance of reporting the most minor date breaches, as this enables teams to conduct root cause analysis and find faults before they become business critical. While there was recognition that reporting breaches may not always have the best bearing on the company, it instils the right kind of culture in the long term.

One attendee noted the importance of communicating the consequences of non-compliance to employees. These shock and awe tactics, though undesirable, were seen as necessary to ensure that people take ownership and make decisions, rather than prevaricating and leaving the decisions to more junior employees who may get things wrong.

Lastly, participants discussed risk acceptance, with employees potentially not realizing that accepted risks still need to be tracked and addressed at some point down the line. Risk acceptance was also seen as a way of shirking responsibility, so attendees felt that there needs to be a way of making compliance a priority – although no suggestions were provided.

Closing of the session

In summing up, Craig noted that the SureCloud GRC platform allows his organisation to create a general control based on multiple other controls, offering an out-of-the-box toolset solution, and allowing organizations to map across multiple frameworks.

Matthew Davies - VP of Product

About Matthew 

Matthew Davies is responsible for the go-to-market proposition behind our GRC solution offerings and helps maximise the business value of our solutions. Before SureCloud, Matthew previously held positions in GRC implementation, pre-sales and product development at Deloitte and PWC.