Noord Roundtable: What We Learned About Moving From Reactive To Proactive IT Compliance And How To Get Business Buy-In
Last month I had the privilege of representing SureCloud at Noord’s latest virtual boardroom discussion entitled: Moving from Reactive to Proactive IT Compliance: Enabling Business Buy-in and Effective Engagement. These roundtable discussions are always an incredibly rewarding experience as they give board members and senior-level staff the chance to share their valuable takes on broad and complex topics that tend to vary from business to business. These perspectives can help set new ideas, benchmark progress, and spark discussion around key innovations – and compliance is no different in that regard.
Our 90-minute virtual boardroom discussion centered around the pressure companies are put under – and put themselves under – each and every day to fulfill their compliance obligations without compromising their level of service or plans for growth. It’s a given that every successful company out there wants to remain successful, but as the compliance landscape gets ever more complex – particularly around IT and the handling of personal data – it’s becoming easier and easier for things to slip through the cracks. As business accelerate their plans for digital transformation in light of the global pandemic, the last thing they need is for their newly implemented systems and processes to raise concerns around security and compliance – which can be very costly.
The above sentiments were shared by everyone on the panel, which consisted of business leaders and department heads concerned with privacy and IT compliance.
What we discovered…
In many ways, it’s reassuring to know that all companies – regardless of the industry in which they operate – have the same challenges when it comes to optimizing compliance. While regulatory standards are complex and can vary from sector to sector, the mechanics of solving the IT compliance conundrum remain the same. As systems have gotten more capable, they’ve also gotten more complex, to the point where even a small department can have tens – if not hundreds – of intersecting compliance requirements to consider. The more data a business gathers and utilizes, and the more personalized and intimate its marketing and services, the more twists and turns its compliance journey entails.
Everyone at the roundtable agreed that this often leads to needless confusion, with overlapping and duplicate controls to embed, test, and manage. In other words, it creates a lot of additional work that is largely redundant. This tends to result in internal stakeholders becoming frustrated when there are bottlenecks, and the pressure mounts on compliance and auditing teams as they feel they’ve become a hindrance to progress rather than an asset.
Our key takeaways…
By far, the greatest challenge of mastering assurance and compliance is the ability to rationalize control frameworks and standardize controls. When businesses respond to new or updated regulatory requirements, they tend to do so in a reactive way by adding controls to meet those requirements and when regulations change, which is completely understandable. Therefore, when regulatory requirements change, organizations need to ensure that they take a step back to consider whether their control framework needs to be rationalized and their controls standardized in response.
One of the speakers on our panel also brought up how important it is to cultivate a ‘culture of compliance throughout an organization. Initiatives such as proactive breach reporting should be encouraged, and reporting hundreds of minor compliance issues should be something that is celebrated and encouraged because uncovering these issues in the first place is often half the battle. Businesses that want to take a proactive approach to IT compliance and risk management should:
- Do away with silos or come up with a dedicated process that collates and connects disparate data sets throughout the business
- Make processes visible, traceable, and predictable wherever possible
- Define streamlined processes for collecting and reviewing evidence on a regular basis
- Automate these processes where possible to increase their efficiency
- Seek out a reporting and monitoring system that will ensure compliance and support ongoing improvements as the business grow
The Noord Virtual Boardroom took place on April 27th and was hosted in association with SureCloud. To learn more about SureCloud’s GRC solution and its capabilities, and how your business can benefit, get in touch today.
SureCloud provides cloud-based, Governance Risk and Compliance products, and Cybersecurity & Risk Advisory services, which reinvent the way you manage risk.SureCloud connects the dots with Integrated Risk Management solutions, enabling you to make better decisions and achieve your desired business outcomes. SureCloud utilizes a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.