It’s not just about the big IT risks
It’s pretty obvious that IT risks, particularly those involving cyber-security breaches, are among the largest risk issues facing organizations today. Just look at the fallout that occurs after a hacker manages to get hold of millions of records of customer confidential data—share prices fall, brand names are tarnished, customers take their business elsewhere and CIOs are fired.
Inevitably, leaders of IT, security and risk management pay a lot of attention to the big cyber security risks and allocate resources accordingly. The challenge that many IT risk and compliance leaders face is what to do about everything else. What is the best way to deal with the often overwhelming mass of regulatory requirements and compliance issues that impact IT? How do you make sure that your organization is compliant with all the requirements contained within frameworks, standards and regulations such as COSO, ISO/IEC, COBIT 5, HIPAA, PCI, GDPR, etc.? How do you manage to make the whole complex machinery of compliance activities actually work well?
Avoid an outdated approach to a current and rapidly changing issue
IT security and compliance professionals are under enormous pressure to ensure their organizations remain compliant and are protected from risks of cyber failures and the wrath of regulators. They also presumably need to achieve all of this as efficiently as possible without involving massive amounts of resources—even though actually managing the mass of often overlapping and sometimes contradictory regulations is a complex process.
So it is surprising to discover how many IT compliance teams are still relying on homegrown spreadsheet-based systems, or outdated application software to manage compliance processes. It may seem a bit ironic that functions responsible for IT compliance are using outdated IT applications—but it is often the case. The problem, somewhat understandably, is that IT regulations, standards and compliance requirements are constantly evolving—as are the underlying IT systems themselves. In multinational and multi-business corporations, silos can develop that address the latest or local set of requirements, with little coordination and collaboration across the separate silos.
It might be time for smarter approaches
At some point, IT compliance leaders can benefit from taking a step back from the ongoing tactical challenges and consider whether there is a better way to do things. Outdated IT applications are not the answer; there are often better ways to actually remain in compliance with requirements while applying reduced resources and effort. The right combination of technology and best practices can transform IT compliance processes—both in terms of efficiency of effort and risk reduction.
A smarter approach usually involves close collaboration and functional integration from all of those involved in multiple areas of IT compliance. It also involves coming up with a revised approach to managing and understanding the links and relationships among compliance requirements—using technology that specifically supports mapping and linking multiple requirements to risks and controls in a tightly integrated way.
The next steps are often to use software to increase automation in two key areas: continuous/ongoing control and activity testing, and automated workflow for dealing with alerts and control exceptions (as well as the often painful process of managing questionnaires, IT control self-assessments and attestation/certifications).
Another key factor in rethinking IT compliance processes is one of attitude and making smarter choices around interpreting and implementing regulatory requirements. Of course, this includes control rationalization and harmonization—ensuring control procedures are not duplicative or redundant—though it also includes a bit of risk-taking in terms of moving beyond a literal checkbox mentality and focusing more on achieving compliance with the overall “spirit” (or intent) of a requirement.
One further step is to integrate IT risk and compliance into an overall enterprise-wide risk management process, which ensures that the complexity and degree of the risks are adequately addressed. This means that IT is not considered in isolation, but in the context of overall risks and compliance issues faced by the organization—which also helps to ensure a smart and well-balanced response to the IT compliance challenge.
Assess the IT compliance process itself
There is no one solution that is the perfect fit for all IT compliance functions. The important thing is to apply best practices in objective monitoring and assessment, not just to compliance risks and requirements, but to how well the overall IT compliance process itself is working.