What’s the traditional approach to compliance and the challenges with it?
At any given time, organizations need to ensure they’re compliant with the latest regulations, standards, and frameworks, such as ISO 27001, PCI DSS, CMMC, HIPAA, NIST CSF, and more. Today, for instance, businesses are preparing to comply with UK SOX, new legislation designed to restore confidence in the auditing of listed companies and protect investors from fraud.
There can also be contractual requirements imposed by suppliers or customers and internal policies and procedures such as information security and fair usage policies that organizations need to comply to.
Each regulation and standard often requires you to conduct periodic audits of your IT environment to ensure that you’re meeting the requirements.
Let’s take a traditional approach to compliance and see what’s involved. Security and compliance teams will need to adopt and manage the compliance framework.
They’ll have to:
1. Manage and schedule the compliance tests and audits (which typically take place annually)
2. Request, review, and check compliance documentation
3. Conduct testing and assurance activities to identify control gaps
4. Produce reports to the business on compliance status
5. Support the preparation of documentation and evidence for external reviews and audits (SOC2, SOX ISO 27001, etc.).
You then have business stakeholders who are asked to:
• Prepare evidence documentation for each of the compliance requirements.
• Update any controls and remediate any testing findings.
The downsides of a traditional approach to compliance are as follows:
1. Wasted manual effort
It is driven by manual, repetitive, and disparate compliance processes that are very labor-intensive. Each compliance requirement you add makes it more complex and time-consuming, with additional manual processes throughout the year.
2. Duplicate controls
As each compliance requirement can often have remarkably similar but not identical asks, organizations can end up with multiple if not identical controls, leading to duplicate efforts and confusion.
3. Creates hundreds of compliance artifacts
Business stakeholders can be asked for the same thing multiple times and create hundreds of compliance artifacts across email, shared drives, Word, Excel, PowerPoint, etc.
4. “Point-in-time” assessment of compliance
The traditional annual audit delivers point-in-time assessments of compliance and does not account for the time in-between where things can substantially change. Technology is evolving much faster than the traditional annual audit caters for.
5. Seen by stakeholders to slow down business
It is seen as a once-a-year activity by business stakeholders that slows down business operations and doesn’t add much value beyond a check-box exercise.
6. No aggregate, real-time view of compliance
As the data comes from multiple disparate sources, it makes reporting an aggregated view of compliance within the organization very difficult and almost impossible to see in real-time.
It’s easy to see how manual and disparate compliance processes can lead to duplicate controls and wasted effort, and it’s where many businesses struggle to scale as they grow. Businesses fall behind the compliance curve and run the risk of penalties or, worse, security breaches and lost data.