In every business, security executives face the day-to-day challenge of maintaining and improving a compliance program that satisfies the thousands of information security, IT and data privacy requirements that makeup today’s complex regulatory landscape. While trying to unpick all the overlapping requirements, you are testing, then testing again, and then again against each regulatory requirement to demonstrate compliance. There must be a simpler way? Matthew Davies, Senior Director of Product Management, untangles the complexities and explains how technology can be leveraged to reduce the compliance burden.
Let’s look at some of the key challenges facing today’s security and compliance professionals. A big one is making sure that business is done securely and quickly. Ultimately, you don’t want to be a block or a hindrance to business, but you do want to make sure that things are secure, compliant and going well. Then there is the ever-increasing number of compliance requirements that you need to understand and deal with. Furthermore, these requirements, unfortunately, come from multiple sources, so there’s a lot of overlap. Bringing everything together in an efficient way is challenging, and, inevitably, as a compliance professional, you want to simplify the testing and evidence collection process as much as possible. It is a constant issue for organizations when their business stakeholders are repeatedly asked about similar, if not the same controls. You end up with a lot of audit fatigue with people not seeing the value of what compliance does, and definitely not seeing it as a necessary enabler to be able to do business securely and safely.
A lot of organizations start with a fairly simple requirement, something like ISO 27001, and then something changes internally. It could be new business goals, or perhaps you have won a new contract. In the case of a new contract, it may mean you need to go into new jurisdictions where there are different regulatory requirements. You might have suppliers that say “We want you to be ISO 27001 compliant or have a SOC2 Report.” There might be new employees coming in who have their own thoughts on how they want to do things, adding new frameworks or standards that they’ve used in a previous workplace, for example. The thing to note here is that it’s often additive. Often, there isn’t anyone questioning, “do we need all these additional controls?” We’re just adding to them over and over again. And even if you stay where you’re at, making no changes to your business internally, there are still regulatory changes to contend with.
Another issue is that various different teams often manage regulations, frameworks and standards. With a lot of duplication and overlapping requirements between all of these, you can see how easy it is to have a tangled web.
So, how do we address these overlapping requirements? The answer really is to establish a baseline set of controls. This means having a set of controls mapped to the internal and external requirements you want to meet. This will allow you to have one single policy control rather than four or five versions from multiple frameworks and standards..
Reducing the number of controls not only simplifies the mandate, but also creates a consistent format and language across the control framework. When the wider business sees those controls, it’s pretty clear what it should look like, the level of detail they expect, and that it’s standardized. This allows you to test more easily. You have one control to satisfy many requirements, which ultimately allows you to be a lot more proactive and reduce the overall testing and evidence collection burden.
So, how do we do that? If we look at the practical steps to adopt a baseline control set, I think the first thing you need to think about is whether we have a clear message from senior leadership that this is something we want to do. Fundamentally this is going to change the way that your organization manages controls. There needs to be an understanding that there will be a short- to medium-term pain to deliver this kind of program but also that this is the right thing for the organization to do.
The next thing to think about is defining scope. It’s probably not realistic to do everything at once, so we need to think about the two or three business-critical things that we want to bring together first. Then you will select those appropriate regulations, frameworks and standards to define a scope of what the program should do. And again, it might just be a few that you start with, but it means you can display to senior management that it’s working; you’ve got these controls and you’re really making it easy for the organization.
Then you can move to look at how you’re reviewing them in a more consistent way. Improvements and changes to controls can be rolled out across the entire business in a much more proactive way because you’re keeping on top of them. And because those controls are standardized, you can look at agreeing and defining metrics to monitor controls. It’s now a lot easier to use things like continuous control monitoring to see how these controls are operating throughout the year. We’re no longer waiting for ad hoc testing cycles to review them.