We’ve all seen the guy at the gym with the hi-tech sneakers, coordinated sweatbands, and expensive personal trainer. It’s the guy who shows up every day at the same time to work out but always walks away without ever breaking a sweat. In his mind, he’s on track to being in the best shape of his life, but in reality he’s made a weighty investment in something he’s not appropriately utilizing.
Very often, we hire personal trainers because we’re looking to increase our efficiency. We want a skilled and knowledgeable expert to help us meet and exceed our goals in the fastest and most productive way possible. However, if we make the investment to hire one but we don’t show up to our scheduled training, or we decide to take it easy on the workout, we’re being extremely inefficient: our investment will be wasted, their knowledge will be wasted, and everyone’s time will be wasted.
In reality, efficient risk management is not much different. In order to be successful, businesses must align expertise and smart technology to create an ongoing process that delivers predictable and transparent results to meet information security goals. To ensure this, businesses must resist the urge to rely on their auditor as their personal trainer. They need to retain outsourced risk management expertise and empower internal resources to keep their controls and systems in a state of good health at all times rather than just in advance of audits.
Efficiency savings are maximized when the auditor has exactly what they need at the time of the audit. This isn’t an overnight process (similar to rock hard abs) or something to be saved till the last minute. Risk management needs to be an ongoing process that creates a perpetual state of assurance. Auditors should not be pushing internal risk managers to the finish line in order to get them everything they need to perform the audit. Instead, auditors should be at the end of the race and clocking in the time for the work risk managers have already done.
Many times this inefficiency occurs when internal staff don’t know exactly what needs to be done in advance of the audit. It shifts auditors away from performing audits to educating staff—a grossly inefficient allocation of resources and funds. Auditors should not be spending their time trying to explain what they need in order to conduct an audit. If businesses are investing in risk management systems, they need to be sure that their information security is working efficiently and cost-effectively.
When businesses access outsourced risk management expertise and implement a Continuous Compliance & Assurance program, they are innately more efficient and can better control the outcome of their audits. By trusting a knowledgeable team of risk managers rather than relying solely on in-house staff with limited knowledge of evolving compliance issues, businesses have the assurance that their systems are being managed efficiently.
Avoid being that guy at the gym by taking advantage of risk management expertise that can whip your information security systems into shape without creating redundancies and wasting time.
By James Brown, Technical Advisor and BDM, CompliancePoint
Bio: James Brown is BDM at CompliancePoint, a leader in information risk management and Industry and Regulatory Compliance such as PCI and HIPAA. CompliancePoint helps clients safeguard information assets and ensure regulatory compliance. The company provides third party assessments and develops enterprise security policy and programs based on ISO-27001 Information Security framework and regulatory requirements of HIPAA, SSAE 16, Payment Card Industry(PCI) DSS 2.0, PCI PA-DSS and NERC CIP.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.