Security Think Tank: How can business achieve compliance and security? (Part 8)

What can businesses do to make regulatory compliance a priority without losing focus on security basics?

Whether an organisation is complying with legislative regulations, addressing industry standards, or meeting internal policies, the process is time-consuming and costly. Businesses tend to be focused on the latest mandate rather than their security objectives.

The reality is that compliance and security teams have the same agenda: both want to protect the business, their customers, employees and shareholders. But, both go about implementing this protection in different ways. The security team is in the risk adviser business and focused on protecting the technology aspects of the business. Meanwhile, the compliance team is focused on creating appropriate metrics and controls to assure the organisation is protecting its data and meeting regulatory requirements. 

Due to sizeable fines, damaging headlines and customer churn, regulatory compliance is a high priority in businesses. Compliance managers usually report directly to executive management or the board. As a result, this team is usually well funded and has the ear of the business units and executive management. 

On the other hand, security is often viewed as a cost centre. The technology required to secure the network infrastructure is often confusing and it is difficult to define clear metrics that help the management team understand how their investment makes the organisation more efficient. 

The reality is that these two teams need each other. The compliance team is in need of the security team’s expertise and ability to execute controls. The security team could really leverage the compliance team’s executive management influence as well as their budget.  So why not create a partnership? While they are not easy to get off the ground, there are a few successful tactics that can help teams get off to a successful start:

Establish a champion.  Whether the champion is the compliance officer, the chief information security officer (CISO), or another management executive, this senior sponsor sets the tone for the two teams' partnership and assures that both groups work synchronously to meet their goals.

Define attainable goals. Together, the teams should set quarterly and yearly goals that provide attainable metrics to enable both groups to show they are adhering to the compliance requirements as well as securing customer data. 

Develop a common language. The terminology used by auditors and IT professionals varies greatly. As the teams work together to define goals and requirements, establish clear definitions of the goals and metrics to allay any confusion on progress toward these goals. 

Meet often.  The champion should establish periodic meetings to align priorities between the two groups and assure  they are on track to attain their mutual goals. If both groups aren’t seeing benefits from the partnership, the partnership won’t last long.

Create a metrics dashboard.  Dashboards enable all stakeholders to visual their progress toward goals and their impact on the business. They are a very good way to communicate priorities and progress to executive management. 

Susan Read-Miller is principal product marketing manager, network management, Ipswitch


Read more on IT risk management