No excuses on compliance

Over the last couple of years, the IT landscape has made significant changes and there are more to come. With mobility, BYOD and cloud services changing the security profile of businesses and greater focus on regulatory compliance by regulators, the nature of managing compliance in IYT departments is changing.

What does compliance mean?

Almost all our panellists agreed that compliance is about adherence to rules. Smith summarised compliance as “taking regulatory statements and policies and procedures and making sure that the organisation complies with those regulations”.

Havers went a little further by suggesting that compliance has three distinct layers. “A governance or policy layer, where business and regulatory access policies can be established and reviewed, approved, granted and revoked accordingly; an operations layer where that policy is translated into IT systems and where an individual is provisioned or de-provisioned as a user in a system; and a program layer which ensures that all access paths to that application or data are managed according to the current, correct access policy.”

Kawalec noted that simply meeting general compliance obligations might not be enough. “Simply meeting general compliance is insufficient for long-term enterprise success as establishment and implementation of those compliance requirements are reactive and lag behind the speed of threat evolution. Therefore, companies must take appropriate steps to be proactive in their approach to compliance.”

Has increased public attention caused businesses to rethink their IT compliance strategies?

All four panellists were unanimous here - the spotlight is definitely on companies that don’t meet their compliance obligations.

McLagan said: “Public attention is requiring companies to give a more sustained focus to compliance initiatives. Consumers and businesses alike are rapidly making decisions on where to spend their time and efforts based on the reputation of the organisation they are working for or with. Failures in operational activities, resulting in loss of data and information, brings bad press to companies, and the ease in which the public can raise the bar on expectations, or express their dissatisfaction through social media and the press, is driving companies to rethink their approach to compliance.”

Both Kawalec and McLagan highlighted that compliance is not a point-in-time activity. As McLagan put it: “Examples of this are demonstrated time and time again where companies have achieved compliance and yet, a couple of months after achieving the tick of approval from the regulatory body, they have ended up on the front page of the newspaper through a failure of controls.”

Kawalec noted that one of the reasons compliance management is an ongoing activity is the shifting threat landscape. “Threats are becoming more sophisticated, frequent and damaging, making it more difficult for enterprises and government agencies to stay secure. Add to that overloaded staff with greater potential for human error, the need for better governance and compliance strategies is increasing.”

What are the biggest challenges to managing compliance for the next couple of years?

The number, complexity and pace of change is the key challenge in the ongoing management of compliance at what McLagan calls “an alarming rate”.

Smith said: “There appears to be an increasing volume of regulatory change. How do you keep abreast of that? How do you understand the implications for that?”

Coupled with the increasing compliance obligations are the tectonic shifts in technical environments. “Traditional boundaries to information sharing are disintegrating rapidly, with large amounts of information changing hands across continents every minute. Big data is gobbling up bandwidth, cloud capabilities are becoming more viable and enablement of an increasingly mobile workforce is critical to enterprise success. In addition, effective management of big data is still a challenge for many organisations,” said Kawalec.

These changes are creating what Havers calls “an uncontrolled network and user space” that will drive businesses towards starting now on a “two- to three-year exercise to build IT compliance into the fabric of an organisation of reasonable size and complexity”.

One of the issues that was raised by Smith was that some compliance issues cross national borders. For example, “A US citizen, who is in Australia, has to comply with some US regulation,” he added.

While achieving and maintaining regulatory compliance can be very challenging, Smith also suggested that it can be a significant opportunity.

“A number of our clients are looking at the fact that compliance is really forcing a pervasive approach to change. The impact of various regulatory and policy and procedure changes means that the change is impacting many parts of the organisation. Some of more forward-thinking clients are looking at this as an opportunity to tackle more progressive change alongside those compliance changes. If they’re addressing a change in the customer information systems because of some compliance pressure, what else can we do while we’re in there, under the hood? What else can we couple with that change for better business outcomes?”

Does the evolution of big data and the cloud mean that businesses need to rethink their compliance strategies?

In the past, when an IT organisation needed to design, develop and deploy a new system, the challenges were around user engagement, meeting functional requirements and ensuring technical operation. However, compliance issues now need to be integrated into the fabric of systems and processes at the design phase and not as an afterthought.

“What we are seeing is that where you are processing data, whether that’s cloud - private or public, there’s a strategy that’s required for regulatory compliance. That is resulting in opportunities for data management, encryption, tokenisation and so on. Those pointers have to be brought in much earlier in the life cycle to be considered much earlier for any compliance and regulatory related requirements. We can clearly see that shift happening,” according to Smith.

Big data and the cloud have changed where and how data is stored, and how it is accessed. “Compliance strategies will surely need to evolve to address the new paradigm in information access and exchange, particularly in an adjusting regulatory and legislative environment. For several industries, data security and data sovereignty - ensuring compliance with regulators’ demand that data is managed and maintained within national boundaries - is key,” said Kawalec.

McLagan’s view is: “Big data is a natural evolution of IT. However, the implication of big data is that there will be more information and data made visible to the organisation and the result is that there are now more areas where compliance focus and initiatives will need to be concentrated upon.”

Do IT departments need compliance managers to ensure they fulfil compliance requirements?

Havers says: “In our dealings with Top 100 organisations, we are already engaging with IT compliance managers. These people sit at a confluence point of IT, risk and business and develop a risk management perspective of business issues, assisting IT with programs of work to meet solid IT governance practices in line with business and regulatory access requirements.”

Similarly, Smith is seeing the rise of the chief data officer as “someone that has holistic ownership and governance of an enterprise’s data”.

However, McLagan perhaps best sums this up. “Compliance is everyone's responsibility - from background checks during an employment process, through to compliance of IT infrastructure and systems, all the way to regulatory compliance.”

Kawalec adds to this saying: “A successful strategy should include specific definition of roles and responsibilities within the IT organisation, including potential new roles, to sufficiently address those challenges. Effective compliance management strategies should also identify vendor and partner initiatives that can share the burden of compliance.”

Image credit ©iStockphoto.com/Dusan Jankovic