By Richard Hibbert, CEO, SureCloud
Traditional compliance management involves stressful annual audits, mountains of paperwork and often tedious manual spreadsheet administration, the purpose of which is often deemed by the executives as little more than a tick-box exercise conducted at huge expense for minimal return. Little surprise, perhaps, that requests for investment in systems to manage compliance processes more efficiently are frequently met with scant enthusiasm. A fundamental shift in attitude is required and some are starting to see to the light. Companies faced with regulatory obligations should think beyond the tick-box and embrace the underlying intent of regulation - namely to improve business processes to help minimise risk and safeguard the business.
For regulations such as the Payment Card Industry Data Security Standard (PCI DSS), an audit takes place every 12 months. The information required for these audits is scattered across various departmental functions including IT, finance and HR. Skilled auditing staff are tied up for several months chasing feedback and results that demonstrate compliance and then, when it’s over, business returns to normal until the next time. This is risky practice as compliance levels inevitably drop between each annual PCI audit. This leaves the organisation vulnerable to breaches. If a breach does occur and customer data is stolen, the organisation faces the prospect of regulatory fines plus loss of face and brand loyalty once it becomes public.
A fresh approach is required - one that raises the profile of compliance as a discipline and which delivers new, tangible benefits to the organisation. The key elements of change can be summarised as the three Cs of compliance - control-centric, continuous and collaboration.
At SureCloud we advocate replacing the old audit-centric approach with one that is control-centric. Many regulations have overlapping requirements that share the same controls. When the focus is on continuous compliance, controls can be mapped to multiple standards. It frees the organisation to migrate more easily from one version to another, such as when moving from PCI DSS v2.0 to PCI DSS v3.0. Control-centric compliance also reduces duplication of effort affording compliance teams a complete picture of the wider compliance landscape. This improved visibility helps to pinpoint previously unseen gaps in security so remedial action can be taken to quickly reduce risk. By shifting focus from the standard to the control, an organisation can concentrate on the core intent of the standard, improving its overall risk profile rather than achieving compliance for compliance’s sake.
Having a continuous approach to compliance reduces the chance of security lapses and offers better real-time protection than a series of retrospective assessments. For this reason compliance should be part of an ongoing process rather than the subject of annual audits. In our experience organisations that adopt cyclical Business-as-Usual (BAU) compliance activity throughout the year find the whole process less onerous and more productive. Armed with intelligence throughout the year, the organisation is more stable as weaknesses are identified and ironed out throughout the year.
Empowering key stakeholders to collaborate in the compliance process means every control is managed as a routine part of BAU activity– daily, weekly, monthly or quarterly as appropriate. As staff absorb this responsibility into their daily role, skilled auditors no longer have the administrative burden of gathering evidence that controls are being met. Compliance specialists can concentrate on the more productive task of business analysis and assessment. The collaborative effort should extend beyond internal staff to encompass third party suppliers also. Suppliers’ compliance data should be collated via the same system, preferably cloud-based to enable centralised reporting and visibility. This collaborative compliance methodology removes duplication of effort, ensures the collation of accurate, up-to-date data and provides real-time visibility of compliance status across the extended enterprise.
The pursuit of these three Cs of compliance adds tangible value to the business and offers a modern alternative to the frenzied annual activity traditionally associated with achieving compliance. Implementing these three elements, underpinned by process automation, greatly simplifies the compliance process, increases productivity and reduces exposure to risk. Further enhancements are possible when solid analytical capabilities are introduced into the mix.
Embracing the advantages of an alternative approach to compliance as described - transitioning to continuous, control-centric measures driven by process automation - allows executives to experience tangible rewards that go far beyond ‘tick-box’ compliance and maybe even make them think again about the value of investing in compliance initiat