By Janet K. Himmelreich, Head of Security, Risk and Compliance Centre of Excellence.
Securing your business against cyber crime doesn’t guarantee compliance (and vice versa). Here’s how to make sure you get the best of both worlds.
Security isn’t the same as compliance.
You might think that meeting all of your security needs means you’ve automatically dealt with your compliance risks too. After all, your security setup keeps your data private, right? And that’s enough to handle those regulatory requirements, isn’t it?
Unfortunately, the reality is nowhere near that simple. You can be ‘secure’ without meeting your compliance plan, code of conduct or the aforementioned regulations. And if your budget and planning focuses too heavily on security, you could easily be at risk of failing to meet your compliance requirements.
You have to pay attention to both.
In today’s fast-paced IT environment, tech teams push hard to meet the latest rules and expectations of their security and privacy. But compliance requirements often revolve around regulations rather than the usual security certifications. This means that the two don’t always match up.
A focus on security could therefore be calamitous for your company when the regulators come calling. What you need within your organisation is a strategy for compliance that includes security measures and tactics, but doesn’t rely solely on them.
Three steps to solve the issue.
So, how can you bring security and compliance together? Here are three steps to take which will make sure you take care of both.
1. Make sure there’s collaboration between all the teams involved.
This might seem obvious, but not many organisations do it well. You have a number of groups that have an effect on compliance, including security, privacy, quality and legal — not to mention your business leaders. And every one of these will have their own priorities and views.
By building a multi-disciplinary team to evaluate the options, you can make sure that each team has a say in your strategy. This gives you a much better chance of providing security and compliance in a way that suits everyone.
2. Establish a ‘Compliance Forum’.
Once you have your strategy team in place, you have to make sure they come together regularly (I recommend monthly) to discuss issues and new developments. This gives everyone an update on your organisation’s priorities and risks — especially when it comes to your IT.
This can be particularly helpful when you feed back to management and the board because you’ll already have identified whether your balance of focus and spending is appropriate to the risks highlighted by your forum.
3. Look at the bigger picture in your industry.
You have to take a look at the various rulings and investigations taking place within your industry. These will give you a good idea of whether your strategy covers the areas that others have fallen down on.
Looking at the whole picture rather than focusing solely on your own situation — and knowing the right questions to ask — will help you avoid the gaps between compliance and security.
Making sure your organisation is both secure and compliant is no small task, but follow these three steps and you’ll have a much better idea of whether you’re on track or not.
We can help you understand the threats and risks to your business. Discover more about how we can help you solve the issues of security and compliance.