Driving down the cost of compliance is not only the key to competitive advantage, but compliance also needs to be taken seriously and become part of a cost-effective executive risk management strategy. Compliance must be turned into competitive advantage whereby the opportunity cost of being compliant is vastly reduced. This is according to J2 Software managing director John Mc Loughlin.
Compliance roles should not be separated from the business; they should be seen as business enablers, integrating the compliance needs of audit and IT and must be communicated at board level. In order to turn governance, risk and compliance into competitive advantage, it must be perceived and experienced as a 'business enabler' as opposed to a function that leads to 'business prevention'.
If compliance is too time-consuming and complex, it will be ignored or shortcuts will be taken. Unseen risks cause damage and unfortunately, one cannot manage what one cannot see. This is a simple phrase to keep in mind when implementing the governance, risk and compliance strategy.
Incidents will inevitably occur regardless of effective security measures, but ongoing proactive automated enforcement, staff education and end-user buy-in will minimise the likelihood and impact of unforeseen risks.
Furthermore, compliance should not lengthen the 'time to value' continuum, which is a critical success factor for many bid teams. For this reason, bid teams often do not include compliance staff and in situations where a complex bid is being put together in a short timeframe, cutting corners is a very attractive option. It is here that the risk management equation comes into its own, where management is often found asking themselves whether the cost of non-compliance is worth the risk?
When legislation is amended several times during the process, compliance could very easily become a casualty. Legislation that changes regularly, leaving it open to interpretation and sometimes with a requirement to be implemented across continents, all leads to compliance being viewed as an undesirable overhead. It has been said that in current circumstances, every organisation - from SMEs to larger enterprises - require a compliance department which then gives one an abnormally high ratio of compliance staff to employees.
Another problem is that too often the chief security officer is seen to have a secondary function, and they must constantly fight for resources and justification of their proposed policy. This can compromise compliance, creating a patchy approach. This is especially true where legacy and bespoke applications are often not compliant, and fixes are attempted when there may not be the skills within an organisation to do this properly, and costs would be incurred to do it any other way.
However, there does seem to be a change in perception and urgency for compliance. Funds are slowly becoming available for certain types of compliance measurement, but unfortunately these new measures are seen to be in competition with other general security standards, ie, physical security, antifraud measures etc. These funds are usually accessed via the CIO, who must be convinced of the need for a comprehensive information security and compliance strategy.
When information security is embedded into an organisation's DNA, compliance not only involves observing the formal rules as laid out in the policy, but also includes observing the informal rules governing circumstances that may not be anticipated. Observing these informal rules will demonstrate that security is well and truly embedded in the organisation's DNA.
Once this process is initiated, a simple but effective test of how well security is embedded into the DNA can be illustrated by leaving a confidential document on the floor in a common area to see how it is handled by passing staff. Employees must be confident in handling situations where they may not have the familiar security parameters around them and the informal rules or corporate morals will kick in automatically.
As the complexity of data and ease of access keeps increasing, now more than ever, companies have a golden opportunity to push information security and compliance to the top of the agenda. They must urgently address the situation to protect their information assets and the privacy of their electronic identity.