On many occasions, I found myself face-to-face with senior managers, arguing for extra funds to acquire and implement needed security programs, only to realize that it was not my security acumen that won the show, but it was my compliance arguments that stole the show every time. Senior managers, although aware of security threats and the damage they may inflect upon an organization, are more persuaded by compliance arguments, especially non-compliance arguments, than those of risk assessments, hacker attacks, malware, etc. Protection mechanisms, such as firewalls, IDSs, VPNs, and training, have little, if any, persuasive appeal for senior managers. Historically, as a matter of routine, many “C-level” decision makers are more comfortable dealing with legal and regulatory matters. Generally, legal, and regulatory issues tend to be more black or white. It is legal or it is not; we are compliant, or we are not. Senior decision makers’ affinity to embrace “gray” area problems may also be the cause for their reluctance to commit to certain types of policies, such as those addressing ethics. Decisions to expend additional funds, especially funds for strategic security programs, are often delayed until the last minute, or simply left on the plate for the next administration to deal with.
One of my earliest concerns about assuming both roles – security and compliance – dealt with the appearance that I might be unable to objectively administrator the compliance role, while also administering the security role. As security is often perceived as an operational role under the scrutiny of various policies, legislative acts, and agency rules, and compliance is often perceived as an evaluative (or audit) role of operational activity, how could I, as compliance manager, objectively evaluate my own compliance to various legal and regulatory mandates? Well, I contend that there is no way to do this; however, an assumption is made which I reject. Compliance is not an evaluative (audit) function, as was assumed above.
Compliance is as much an operational function as is finance, marketing, or security. If a corporate role exists that is responsible for evaluating an organization’s adherence to policies, legal acts, or agency rules, it is the corporate Internal Audit (IA) function. As for compliance, its purpose is to ‘proactively’ work with organization members to ensure the organization gets and stays legal, or compliant, not to ‘reactively’ evaluate and report on non-compliance, as would be expected of the IA function. Just as the security manager ‘proactively’ implements security controls designed to prevent adverse events, so too does the compliance manger ‘proactively’ consult and advise others of policies and practices that will ensure the organization and its members remain good public citizens. The truth is Security and Compliance are BFF’s. Each complements the other. Even though most security controls are not implemented in adherence to legal or regulatory compliance, knowing that such compliance requirements exist helps to justify the acquisition and implementation of controls. For example, for decades before the enactment of the HIPAA, the healthcare industry, and its patients, faced increasing numbers of threats, especially to privacy, while security budgets dwindled, unabated. Compliance to HIPAA, although not full proof, enhanced security, and privacy, in very profound ways.
I now realize how beneficial my status as head of security and compliance was for my organization. By staying alert to compliance issues and knowing how our security controls addressed them, the value of each role was enhanced.
Comments