Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Compliance Management, GRC

Noord Roundtable: What We Learned About Moving From Reactive To Proactive IT Compliance And How To Get Business Buy-In

Noord Roundtable: What We Learned About Moving From Reactive To Proactive IT Compliance And How To Get Business Buy-In
Written by

Matthew Davies

Published on

6 Jan 2021

Noord Roundtable: What We Learned About Moving From Reactive To Proactive IT Compliance And How To Get Business Buy-In

 

Last month I had the privilege of representing SureCloud at Noord’s latest virtual boardroom discussion entitled: Moving from Reactive to Proactive IT Compliance: Enabling Business Buy-in and Effective EngagementThese roundtable discussions are always an incredibly rewarding experience as they give board members and senior-level staff the chance to share their valuable takes on broad and complex topics that tend to vary from business to business. These perspectives can help set new ideas, benchmark progress, and spark discussion around key innovations – and compliance is no different in that regard. 

Our 90-minute virtual boardroom discussion centered around the pressure companies are put under – and put themselves under – each and every day to fulfill their compliance obligations without compromising their level of service or plans for growth. It’s a given that every successful company out there wants to remain successful, but as the compliance landscape gets ever more complex – particularly around IT and the handling of personal data – it’s becoming easier and easier for things to slip through the cracks. As business accelerate their plans for digital transformation in light of the global pandemic, the last thing they need is for their newly implemented systems and processes to raise concerns around security and compliance – which can be very costly.

The above sentiments were shared by everyone on the panel, which consisted of business leaders and department heads concerned with privacy and IT compliance.

What we discovered…

In many ways, it’s reassuring to know that all companies – regardless of the industry in which they operate – have the same challenges when it comes to optimizing compliance. While regulatory standards are complex and can vary from sector to sector, the mechanics of solving the IT compliance conundrum remain the same. As systems have gotten more capable, they’ve also gotten more complex, to the point where even a small department can have tens – if not hundreds – of intersecting compliance requirements to consider. The more data a business gathers and utilizes, and the more personalized and intimate its marketing and services, the more twists and turns its compliance journey entails.

Everyone at the roundtable agreed that this often leads to needless confusion, with overlapping and duplicate controls to embed, test, and manage. In other words, it creates a lot of additional work that is largely redundant. This tends to result in internal stakeholders becoming frustrated when there are bottlenecks, and the pressure mounts on compliance and auditing teams as they feel they’ve become a hindrance to progress rather than an asset.

Our key takeaways…

By far, the greatest challenge of mastering assurance and compliance is the ability to rationalize control frameworks and standardize controls. When businesses respond to new or updated regulatory requirements, they tend to do so in a reactive way by adding controls to meet those requirements and when regulations change, which is completely understandable. Therefore, when regulatory requirements change, organizations need to ensure that they take a step back to consider whether their control framework needs to be rationalized and their controls standardized in response.

One of the speakers on our panel also brought up how important it is to cultivate a ‘culture of compliance throughout an organization. Initiatives such as proactive breach reporting should be encouraged, and reporting hundreds of minor compliance issues should be something that is celebrated and encouraged because uncovering these issues in the first place is often half the battle. Businesses that want to take a proactive approach to IT compliance and risk management should:

  • Do away with silos or come up with a dedicated process that collates and connects disparate data sets throughout the business
  • Make processes visible, traceable, and predictable wherever possible
  • Define streamlined processes for collecting and reviewing evidence on a regular basis
  • Automate these processes where possible to increase their efficiency
  • Seek out a reporting and monitoring system that will ensure compliance and support ongoing improvements as the business grow

The Noord Virtual Boardroom took place on April 27th and was hosted in association with SureCloud. To learn more about SureCloud’s GRC solution and its capabilities, and how your business can benefit, get in touch today.

Matthew Davies - VP of Product

About Matthew 

Matthew Davies is responsible for the go-to-market proposition behind our GRC solution offerings and helps maximise the business value of our solutions. Before SureCloud, Matthew previously held positions in GRC implementation, pre-sales and product development at Deloitte and PWC.

About SureCloud

SureCloud provides cloud-based, Governance Risk and Compliance products, and Cybersecurity & Risk Advisory services, which reinvent the way you manage risk.SureCloud connects the dots with Integrated Risk Management solutions, enabling you to make better decisions and achieve your desired business outcomes. SureCloud utilizes a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.