Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Compliance Management, GRC

Real-world lessons in embedding and scaling compliance

Real-world lessons in embedding and scaling compliance
Written by

Matthew Davies

Published on

8 Mar 2022

Real-world lessons in embedding and scaling compliance

  
 

It’s almost impossible to overstate the complexity of today’s compliance landscape. Amid the modern web of information security and data privacy requirements, it’s not uncommon for businesses to feel like they’re swimming against a tide of regulation with the sole objective of keeping their heads above water. As businesses develop and evolve, digitizing their services and broadening their reach, traditional ‘point in time’ audits have become unfit for purpose. Instead, businesses now have to think about compliance in real-time, ensuring that their business is always one step ahead of the compliance curve instead of lagging behind it.

 

However, that’s easier said than done. Sustaining IT compliance programs is a challenge in and of itself – one that often feels a bit like a black hole when it comes to managing resources such as time and cost. As more regulations are brought into play and existing requirements change, an increasing number of controls need to be mapped. All too often, this results in duplicate controls across departments and a loss of time and resources that could be better spent elsewhere. In order to eliminate losses and streamline compliance, businesses need to take a more holistic and embedded approach when it comes to control mapping.

 

Matthew Davies - VP of Product
 

But what challenges are involved, and how easy is it to overcome those challenges in a real-world environment? Matthew Davies, Product Senior Director at SureCloud, recently participated in a series of roundtables where he discussed this very topic with compliance and security experts from around the world. Here are just some of the challenges, solutions and real-world lessons that were shared.

Breaking a set of controls down into different tier-based views

 

The duplication of controls is arguably one of the biggest challenges facing businesses when it comes to compliance. If finance or compliance teams are responsible for manually administering controls as new regulations come into effect or existing regulations are updated, duplications are almost an inevitable by-product. But duplications are also created by administers when they re-write controls for different areas of the business in order to clamp down on security and play it safe. But with automation, as discussed in our roundtables, businesses can continuously adapt rather than rewrite their controls, matching the view of the control to the level of the person looking at it. In this way, businesses free themselves from the need to clamp down and are able to put their resources into more meaningful pursuits.

 

Measuring compliance maturity

 

Compliance maturity levels can vary from department to department, let alone organization to organization. All levels were represented at our roundtable discussion, and everybody agreed that in order for a business to map out its compliance strategy, it must have a firm understanding of its current level of maturity. That’s all

well and good, but how is this possible in the real world? First, a controls framework will give businesses the ability to measure their compliance against key criteria and reveal potential weak spots that may need to be addressed. Beyond that, external reviews and audits should be welcomed to provide a compliance maturity snapshot that businesses can use as an objective barometer to see where they currently stand.

 

Remember the Secure Controls Framework is a helpful resource that lists hundreds of controls, all rationalized and baselined across more than 150 global regulations frameworks and standards.

 

Reporting on the effectiveness of controls

 

Reporting on GRC (governance, risk and compliance) matters is now simply a part of running an organization. The more accurate and up-to-date these reports, the more useful they are. However, the effectiveness of control is open to interpretation, and that interpretation can change depending on who the report is for and how much detail is required. In our roundtable discussions, it was made clear that much of this challenge comes down to metrics, and only using metrics that are accurate and meaningful in a given context. For instance, a control owner will need to see a lot more detail than a senior manager, who might only be looking for a top-line summary. With the introduction of automation, feeds can be taken from different controls to ensure that compliance is continuously monitored, making reporting even more useful.

Other challenges were also discussed as part of the roundtable discussions, such as how to align corporate risk with compliance, what to do when regulations change, and how to create a culture of compliance throughout an organization. The discussions also touched on best practice when it comes to managing third-party compliance. None of these challenges will come as news to businesses trying to get on top of their compliance objectives, but rare to have so many IT and compliance professionals in one space discussing actionable, real-world solutions in context.

This series of roundtable events was moderated by Rela8 Group’s Technology Leaders Club and, as well as our own Product Senior Director Matthew Davies, featured CISOs, VPs, cybersecurity heads and senior compliance managers from across the business landscape.

 

To learn more about the discussions and share in some of the valuable knowledge and experience shared, download our eBook: Optimizing IT Compliance: Real-World Lessons in Embedding and Scaling an Optimized Compliance Program.