Whatever your product, business objectives or workforce structure, compliance with industry regulations is a massive undertaking. But being noncompliant is costly in many ways and directly connects to your business risk, as any inadherence to determined laws and standards can cause you to incur hefty fines and time lost.
Perhaps most important to mitigating that risk and moving forward within regulations is your own awareness of your current level of compliance. In an in-depth look at how compliance fits into company safety, Harvard Business Review writers David De Cremer and Bjarne Lemmich outline three costly examples of non-compliance blamed on ignorance of regulations or actions within the business, noting that "these examples make clear that companies often do not know what's going on in their own offices, which can severely damage their reputation."
In sum, if you don't know where you stand, you're taking an unnecessary risk. Still, though, navigating a rapidly evolving landscape of regulations isn't the simplest task. With all of the new laws introduced during the boom of the digital age in the late 90s and early 2000s, and as security experts predict that 2016 will see further and more complex regulations emerge, you'll need to find a starting point.
Getting started with compliance regulations
To begin, you'll need to consider the landscape. Use this resource to find popular compliance regulations (and follow them to further reviews of each) to position yourself.
Remember, there are rules for every industry, and many compliance regulations won't be relevant to your business, making the process of understanding your requirements an even more complex effort. Transportation regulations, the Children's Online Privacy Protection Act, and the H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation are just a few examples of regulations you may find completely inapplicable, or, depending on your industry, highly relevant.
Consider creating a list of laws that might apply to you. Begin with broad-spectrum laws or category types, such as the Sarbanes-Oxley Act, PCI regulations, and your respective state's specified regulations. You may also want to ask your legal team for a review of this list to ensure that it's comprehensive and request a review of all laws and regulations before you begin choosing a solution.
Trusting the checked box
Bear in mind that your solution shouldn't just be about checking those boxes. In fact, the title of the HBR piece says it all: Compliance Alone Won't Make your Business Safe.
Safety is unattainable with just barely meeting the standard. Even the boxes you choose to check would only be as relevant as you make them, based on the measures you enact to ensure completeness.
For instance, though you may have password protection measures in place and therefore meet a general compliance regulation that states you "must use passwords," your employee's six-character choice of "pw1234" is far easier to crack than passwords that reflect stricter, more specific requirements.
So you can't solely trust the checkboxes. Rather than taking a standard legal tack, you should consider how to set up sound IT and business policies that provide basic structure. You'll also want to consider how to effect behavioral change through awareness training within the company, and how to act on your business responsibility to set up for evolution.
Increasing compliance
The legal advice you receive should arm you with direction and parameters. You can then begin to audit against that advice. (Note that a compliance audit differs from a security audit.) Once you know where you stand, you can start making calculated moves toward minimizing your risks.
Minimize risk by:
- Defining policies to protect against data loss
- Creating a chain of command
- Educating your employees
This last point is especially important. As De Cremer and Lemmich point out, "One shortcoming of compliance programs is that they assume misconduct comes from bad apples, rather than good people doing bad things." That's almost never the case. Creating policies and a control culture won't zip everything up for the people who make mistakes and want to learn how to avoid those mistakes in the future, which makes continued employee education one of your top priorities.
Even when you provide educational opportunities, you may still need some assistance with the evolution aspect of your strategy. Hiring a partner is a good bet.
Staying ahead of compliance regulations
Staying in front of, or at least adaptable to, your industry's changing rules may require a partner. A strategic partner with expertise in business compliance can:
- Provide access to new information and regulations
- Conduct regular audits to ensure compliance
- Conduct quarterly employee awareness training
Moving forward
Because the goal of abiding by compliance regulations is to keep your business safe, you know that ignoring them is not an option. The best way to move forward is to treat compliance like other initiatives: spend your resources in the right place to minimize risk and realize greater business value.
In this case, the right place involves legal advice and subject matter expert partners who can help your company navigate the murky waters of business regulations, even as you grow and those regulations continue to shift.
Learn more about enhancing the security of your organization by learning the basics of SIEM.
Originally published on 03/15/2016
Topic: Cybersecurity, Compliance, Network Management & Performance