By Craig Moores, Risk Advisory Senior Director
Trying to stay fully compliant today can be like trying to hit a moving target. The regulatory landscape is now evolving at such a rapid pace that many companies find themselves working overtime just to keep up, let alone get ahead of the curve. From privacy regulations, such as CCPA and GDPR, through to standards such as PCI DSS or frameworks CSA or NIST, a lot of work goes on behind the scenes to ensure that organizations are fully compliant.
Most organizations are often broken up into three management tiers: strategic, tactical and operational. The problem is that these tiers are often siloed, leading to gaps and inefficiencies that can have potentially devastating consequences. The need to react quickly to changes in the market, for instance, can often leave security and compliance objectives playing catch-up. The compartmentalization of compliance activities can also lead to disjointed decision-making and a last-minute “point-in-time” approach to operations rather than proactive planning that’s based on experience.
According to IBM’s 2021 data breach report, system complexity and compliance failures were among the top factors that amplified the cost of data breaches.
In order for an organization’s compliance strategy to be effective, the gap between corporate governance at a strategic level and day-to-day compliance at an operational level must be bridged. That bridge is continuous compliance. With this in mind, Craig Moores, Risk Advisory Senior Director, discusses some of the practical steps that businesses can take in order to deploy and monitor continuous compliance.
Continuous compliance is about managing your compliance requirements proactively throughout your entire IT and business environment. It’s about shifting your organization’s culture to one that shapes strategies and reviews compliance in lockstep, and on an ongoing basis. An organization’s compliance position is constantly changing, just as the regulatory landscape changes around it. Continuous compliance combines people, processes and technology to help keep your organization ahead of the compliance curve, instead of always lagging just behind it. In doing so, it all but eliminates the stress usually associated with annual audits, freeing your team up to aid the business in more useful ways. This all starts with testing, automation and the simplification of operational processes.
The methods for creating a compliance testing program will quite rightly vary from one organization to the next, but there are some key guiding principles to bear in mind. First of all, organizations should be seeking to move away from a “point-in-time” approach to assessments. Instead of thinking about quarterly or yearly audits, organizations should be looking to demonstrate an ongoing understanding of how their compliance controls are functioning day-to-day. To make testing more streamlined, organizations should also seek to rationalize compliance requirements and remove unnecessary overlapping controls. One of the most important principles to follow when creating a continuous testing program is to take a compliance-first approach in the development of all business processes. This “compliance by design” philosophy will help organizations bridge that crucial gap between governance at a strategic level and compliance on the ground. By factoring in any compliance ramifications while new processes or services are in development, businesses will be able to take a more holistic approach to compliance and risk.
One of the key difficulties organizations encounter when attempting to embrace continuous compliance as part of their culture is the reduced centralization of control and compliance management. This inevitably occurs with distributed working and a high volume of stakeholders. Automation can solve this by providing a centralized and logic-driven approach that makes controls easier to review, measure and report. This “single pane of glass” view of compliance can make review cycles easier to plan and execute while drastically reducing the number of manual compliance checks needed.
For continuous compliance to be effective, it has to be visualized and communicated in the right way. Organizations should seek to create a meaningful “true view” and ensure that all details are regularly updated and communicated with relevant stakeholders. It’s also vital that organizations have a solid understanding of what their highest-risk services are being measured against in terms of compliance. For businesses accepting card payment transactions, for instance, regular compliance with PCI DSS 4.0 is going to be crucial. However, being able to demonstrate continuous compliance is arguably just as important as compliance itself. Automated cloud-based platforms can help organizations to structure and schedule real-time reports that can be used during internal and external audits, as well as place remediation trackers against any non-compliant requirements.
Organizations are in a constant state of evolution, so it’s only right that their security and compliance operations should be too. The days of “point-in-time” assessments and quarterly box-ticking have long since passed, and organizations that aren’t ready to modernize their compliance processes will end up trapped in a cycle of non-compliance penalties and regulatory catch-up. The technology is already available, but businesses also need to adapt their culture to one that’s more open and holistic when it comes to fulfilling compliance objectives.