The value of compliance is often questioned by senior executives who perceive it as an obligatory tick-box exercise that rewards little and subsequently lacks investment from the board. However, a change of approach that aligns compliance with Business-As-Usual (BAU) activities can deliver results that cast the whole exercise in a much more positive light.
Faced with the major additional workload demanded by statutory obligations, it is easy for enterprises to forget that the underlying intent of regulation is to improve working practises in order to reduce risk and protect the business. Achieving standards such as PCI DSS compliance involves a mountain of effort, tying up many valuable resources. In spite of all this work, the conventional audit-centric approach to compliance leads to compliance levels dropping off in between annual audits. This puts the business at risk, leads to fines for non-compliance, and also undermines the value of such standards.
Free eBook: Modern Retail Security Risk – Get your copy now.
It’s time for businesses to take a fresh look at the auditing process to better serve the enterprise and raise the profile of compliance as a discipline that delivers tangible benefits. The elements of change can be summarised as the three Cs of compliance – continuous, collaboration and control-centric.
1. Continuous
A continuous approach to compliance can deliver far more value to an organisation than a series of retrospective assessments. Rather than undertaking annual audits, compliance should be part of an ongoing process, where compliance activities are carried out continuously on a day-to-day basis. Continuous compliance is not only more efficient in terms of process, but it also yields higher and more stable levels of compliance. Organisations will be more secure and less likely to be breached as a result. Switching to continuous compliance needn’t be complicated. In our experience, organisations that adopt a more cyclical approach find that compliance activities are streamlined and more productive. These new capabilities provide greater stability, allowing businesses to identify weaknesses and reduce risk.
2. Collaboration
Enabling stakeholders to collaborate allows each control to be managed on a BAU basis – daily, weekly, monthly or quarterly as needed. With staff collaborating to undertake relevant tasks as part of their day-to-day roles, there is no need for a compliance project/admin team to gather retrospective evidence that controls are being met. This will drive productivity as the compliance specialists can cover more ground with business analysis and assessment.
Collaboration between those responsible for contributing compliance data should extend beyond internal staff to include external stakeholders from the extended enterprise with access set via user based provisioning. This provides the immediate benefits of neatly eliminating duplicated effort, ensuring more accurate information is collated and subsequently providing a more representative insight into compliance status.
3. Control-centric
The old audit-centric approach to compliance should be scrapped and replaced with a control-centric approach. Rather than providing evidence that each control is being met for each standard separately, controls will instead be linked to one or more standards. This avoids duplication of effort and provides a holistic view of the entire compliance landscape. Greater visibility also allows weaknesses to be identified more easily so that remedial action can be taken quickly to reduce business risk. By moving the emphasis from the standard to the control, an organisation can more easily focus on the intent of the control – i.e. to improve the business – rather than achieving compliance per se.
Working together these elements streamline efficiency and help enterprises meet their ongoing security needs. Introducing process automation delivers productivity gains to compliance initiatives that may previously have been manual and a drain on resources. In conjunction with solid analytical capabilities, process automation enables enhanced decision-making and speedy implementation. Pursuing the three Cs of compliance can add tangible value to the business. For example, by adding analytics capability it becomes a lot easier to see whether or not to trade with certain suppliers that have a high ‘risk’ value. Greater levels of integration and process automation lead to greater efficiency; for example, executives benefit from a holistic view of the entire compliance landscape. This improved visibility cuts duplication of effort, highlights vulnerabilities, and promotes fast response to business risk. Finally, many regulations have overlapping requirements with certain controls in common. When the focus is on continuous compliance, controls can be mapped to multiple standards. It frees the organisation to migrate easily from one version to another, such as when moving from PCI DSS v2.0 to PCI DSS v3.0 for instance.
In summary, achieving compliance does not have to be accompanied by frenzied annual activity that yields little value. By enhancing corporate compliance initiatives to incorporate continuous, control-centric measures aided by process automation enterprises can substantially reduce exposure to risk and deliver tangible business benefits. The increased stability that compliance will bring may even change some of the negative perceptions executives have in relation to compliance and loosen the purse strings.
By Richard Hibbert, CEO, SureCloud
Bio: Richard is cofounder and CEO of SureCloud®, a provider of Software-as-a-Service Governance, Risk and Compliance Solutions. Prior to founding SureCloud, Richard held a range of senior executive positions at high technology organisations in the UK, mainland Europe and North America, where he led sales, marketing and market development functions.
Today, in addition to leading SureCloud and overseeing the continual innovation of the SureCloud platform, Richard advises enterprises on their governance, risk and compliance practices.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.