It’s almost impossible to overstate the complexity of today’s compliance landscape. Amid the modern web of information security and data privacy requirements, it’s not uncommon for businesses to feel like they’re swimming against a tide of regulation with the sole objective of keeping their heads above water. As businesses develop and evolve, digitizing their services and broadening their reach, traditional ‘point in time’ audits have become unfit for purpose. Instead, businesses now have to think about compliance in real-time, ensuring that their business is always one step ahead of the compliance curve instead of lagging behind it.
However, that’s easier said than done. Sustaining IT compliance programs is a challenge in and of itself – one that often feels a bit like a black hole when it comes to managing resources such as time and cost. As more regulations are brought into play and existing requirements change, an increasing number of controls need to be mapped. All too often, this results in duplicate controls across departments and a loss of time and resources that could be better spent elsewhere. In order to eliminate losses and streamline compliance, businesses need to take a more holistic and embedded approach when it comes to control mapping.
But what challenges are involved, and how easy is it to overcome those challenges in a real-world environment? Matthew Davies, Product Senior Director at SureCloud, recently participated in a series of roundtables where he discussed this very topic with compliance and security experts from around the world. Here are just some of the challenges, solutions and real-world lessons that were shared.
Breaking a set of controls down into different tier-based views
The duplication of controls is arguably one of the biggest challenges facing businesses when it comes to compliance. If finance or compliance teams are responsible for manually administering controls as new regulations come into effect or existing regulations are updated, duplications are almost an inevitable by-product. But duplications are also created by administers when they re-write controls for different areas of the business in order to clamp down on security and play it safe. But with automation, as discussed in our roundtables, businesses can continuously adapt rather than rewrite their controls, matching the view of the control to the level of the person looking at it. In this way, businesses free themselves from the need to clamp down and are able to put their resources into more meaningful pursuits.
Measuring compliance maturity
Compliance maturity levels can vary from department to department, let alone organization to organization. All levels were represented at our roundtable discussion, and everybody agreed that in order for a business to map out its compliance strategy, it must have a firm understanding of its current level of maturity. That’s all
well and good, but how is this possible in the real world? First, a controls framework will give businesses the ability to measure their compliance against key criteria and reveal potential weak spots that may need to be addressed. Beyond that, external reviews and audits should be welcomed to provide a compliance maturity snapshot that businesses can use as an objective barometer to see where they currently stand.
Remember the Secure Controls Framework is a helpful resource that lists hundreds of controls, all rationalized and baselined across more than 150 global regulations frameworks and standards.
Reporting on the effectiveness of controls
Reporting on GRC (governance, risk and compliance) matters is now simply a part of running an organization. The more accurate and up-to-date these reports, the more useful they are. However, the effectiveness of control is open to interpretation, and that interpretation can change depending on who the report is for and how much detail is required. In our roundtable discussions, it was made clear that much of this challenge comes down to metrics, and only using metrics that are accurate and meaningful in a given context. For instance, a control owner will need to see a lot more detail than a senior manager, who might only be looking for a top-line summary. With the introduction of automation, feeds can be taken from different controls to ensure that compliance is continuously monitored, making reporting even more useful.
Other challenges were also discussed as part of the roundtable discussions, such as how to align corporate risk with compliance, what to do when regulations change, and how to create a culture of compliance throughout an organization. The discussions also touched on best practice when it comes to managing third-party compliance. None of these challenges will come as news to businesses trying to get on top of their compliance objectives, but rare to have so many IT and compliance professionals in one space discussing actionable, real-world solutions in context.
This series of roundtable events was moderated by Rela8 Group’s Technology Leaders Club and, as well as our own Product Senior Director Matthew Davies, featured CISOs, VPs, cybersecurity heads and senior compliance managers from across the business landscape.
To learn more about the discussions and share in some of the valuable knowledge and experience shared, download our eBook: Optimizing IT Compliance: Real-World Lessons in Embedding and Scaling an Optimized Compliance Program.