Regulation should not drive risk, security planning
CIOs should stop basing their IT risk and security planning primarily on the need to ensure compliance with regulations, according to Gartner.
Compliance is an outcome of a solid risk management policy, according to Gartner Research Director John A Wheeler, and should not dominate decision-making.
“By simply trying to keep up with individual compliance requirements, organisations become rule followers, rather than risk leaders [able to] proactively address the most severe threats to their organisations.”
Risk leaders approach compliance risks by tracking key regulatory and business changes, and then creating a plan to address compliance requirements in a way that improves resilience and influences their business’s success, Wheeler said.
The key distinction is not to treat compliance activities as mere checkbox exercises, but taking into account the risks that compliance activities are intended to address.
“If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” Wheeler said.
He recommends companies create a formal program of controls based on the specific risks unique to their business, and then map rules and laws onto these controls. This also requires CIOs to be able to make a defensible case to regulators that the rules are being properly followed.
CIOs should also be working with their security and risk management teams to create a program capable of anticipating and adapting to changing regulatory requirements, Wheeler added.
There is a culture within the IT world that downplays the importance of maintaining good mental...
The ACCC has accused Google of failing to obtain consumers' informed consent before combining...
The AIIA has welcomed the government's JobTrainer initiative to reskill school leavers and...