As children and teenagers, our minds don't process risk and reward the way they do after we've fully matured. As children, we'll touch the stove. We'll take a leap off a height much too high without a second thought. As teenagers, we'll drive too fast and play way too hard at soccer practice.
As an adult, though, you've learned. You assess risk and reward in each situation, weighing whether or not actions are "worth" their consequences. In many situations, your scale functions perfectly accurately. But when it comes to security and your company's risk, the scale might be a little off, or you might forget to include some weights at the right time for measurement.
What do you need to know in order to reap the most rewards and create the fewest risks?
Start with the basics: Be compliant.
What is Compliance Risk?
EnlightenMe's definition is appropriate: "Compliance risk is the threat posed to a company’s earnings or capital as a result of violation or nonconformance with laws, regulations, or prescribed practices." The effect on your organization is built into the definition. But the threat to capital extends past regulatory fines alone, to include any lost costs, such as those which come in the form of decreased productivity (caused by a data breach, for example) or dissatisfied customers and decreased trust.
So what does it take to mitigate that threat?
"When it comes to security, being compliant means that the level of security on your network, servers and workstations meets a given set of standards demanded by a body, such as the The Health Insurance Portability and Accountability Act (HIPAA)," says Alex Insley, Twinstate's Unified Defense Strategies technical manager.
Every standard you may have to follow is designed to minimize risk to your organization, including the risk of confidential data exposure, which can cause a significant loss of trust and consequently, of customers and revenue. So understanding the standards and correctly implementing them is to your benefit, not detriment, although compliance often feels like a resource-heavy, long-term endeavor.
Compliance doesn't just include technical adherence to standards, though. Your mandate also might include implementation of employee codes of conduct which establish how everyone in your organization should interact with data and systems in order to best protect information.
Your First Steps
To help your company assess compliance risk and appropriately respond to your compliance mandate, start by learning which regulatory compliance rules apply to your particular industry and region. You could learn, for example, that because you store no credit card data, PCI compliance laws don't apply to you, or that your state has specified security regulations with which you're as yet unfamiliar.
Next, consider the best way to go about achieving the mandate. If you discover that one of your regulations requires your company to encrypt all data, and you're not sure whether or not that's currently happening within your organization, elevate the issue to your security team. Don't have one? Consider a partnership that includes helping you adhere to your compliance mandate along with awareness education, so every employee gets on board.
Being methodical as you learn about your compliance needs is, perhaps, the best way to address risk and keep your company from enduring the consequences of going too fast or touching the stove. Weigh your risks and recognize that your reward — a safe, secure environment that functions well and doesn't prevent you from achieving your business goals — is always within your reach.
Originally published on 07/05/2016
