Regulation should not drive risk, security planning
CIOs should stop basing their IT risk and security planning primarily on the need to ensure compliance with regulations, according to Gartner.
Compliance is an outcome of a solid risk management policy, according to Gartner Research Director John A Wheeler, and should not dominate decision-making.
“By simply trying to keep up with individual compliance requirements, organisations become rule followers, rather than risk leaders [able to] proactively address the most severe threats to their organisations.”
Risk leaders approach compliance risks by tracking key regulatory and business changes, and then creating a plan to address compliance requirements in a way that improves resilience and influences their business’s success, Wheeler said.
The key distinction is not to treat compliance activities as mere checkbox exercises, but taking into account the risks that compliance activities are intended to address.
“If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” Wheeler said.
He recommends companies create a formal program of controls based on the specific risks unique to their business, and then map rules and laws onto these controls. This also requires CIOs to be able to make a defensible case to regulators that the rules are being properly followed.
CIOs should also be working with their security and risk management teams to create a program capable of anticipating and adapting to changing regulatory requirements, Wheeler added.
Putting people first in the AI revolution will drive your innovation engine
The role of tech leaders is to enable an organisation's people to harness the transformative...
Navigating tech catastrophes: five key lessons from the CrowdStrike outage
As organisations continue to recover from the CrowdStrike incident, it is essential to reflect on...
What is the cost of a false alarm when it comes to data issues?
A documented triage process is necessary in order to weed out any misunderstandings and false...