Risk Management is a Process, Not a Person

By   ISBuzz Team
Writer , Information Security Buzz | Sep 25, 2014 05:03 pm PST

“We’ve got someone for that.”

I hear it all the time. When in doubt, a manager will explain that they have a person who has mastered something, and because they have that person, they are no longer at risk of exposure to a particular outcome or threat.

FREE Webinar: Learn How to Stop Targeted Attacks and Avoid “Expense In Depth” With Strong Authentication

The problem with this thinking is that it assumes you can rely on a person in the absence of a process. And on occasion, that’s true. People solve problems all the time. But when it comes to risk management, relying on a person is no substitute for a process. Regulations and requirements are evolving too quickly, and the costs associated with discovering “surprises” during an audit are too high.

I’ll give you an example. A national retailer relies on an individual to manage its PCI compliance. The individual is well-versed in PCI language, controls and standards. They understand the information architecture behind the transaction process and diligently study the protocols required to maintain compliance.

But the individual is not omniscient or omnipresent. To be PCI compliant, cardholder data is not the only that needs to be secured – along with systems that touch it. Enterprises also need to make sure any system that could potentially see the transaction is protected as well.

Unaware to this, the retailer changes its cashwrap configuration and exposes itself to unforeseen risk. And without real-time, all-the-time transparency into their compliance status, organizations fall victim to best practices that no longer apply to reality.

In other words, in the example demonstrated above, people failed where a process would have succeeded.  The root of the problem is that individuals, such as a Compliance Officers, do not have the ability to enforce policy across organizations without process. In many cases, departments within an organization violate compliance regulations or contractual obligations, which affect the company negatively. When that happens, the Compliance Officer is the one held responsible despite not having had organizational accountability and processes in place. Processes make everyone accountable for adhering to company policy and procedures.

In many ways, the argument for Continuous Compliance & Assurance (CCA) and outsourced expertise is less about criticizing in-house teams and more about recognizing the natural limitations that prevent them from being successful. Without tools to make risk management transparent and predictable, and without the expertise that anticipates and understands the complexities of modern transaction environments, the in-house team is doomed. And oftentimes, it isn’t really their fault.

Savvy companies have a process for risk management that includes people, both in-house and outsourced, to support it.

By Jeff Brown, VP Sales & Marketing, CompliancePoint

About CompliancePoint

compliancepointCompliancePoint, a leader in information risk management and Industry and Regulatory Compliance such as PCI and HIPAA. CompliancePoint helps clients safeguard information assets and ensure regulatory compliance. The company provides third party assessments and develops enterprise security policy and programs based on ISO-27001 Information Security framework and regulatory requirements of HIPAA, SSAE 16, Payment Card Industry(PCI) DSS 2.0, PCI PA-DSS and NERC CIP.