By Sean Arrowsmith
Increasingly I am witnessing my clients' utter frustration, endless despair, abject misery…cue the violins….
This gloom and doom is due to the ever-increasing compliance and regulatory burden they need to address in order to continue to do business.
So many businesses seem to be suffering 'audit fatigue', whereby different auditors are effectively asking them to demonstrate the implementation of the same control over and over again. My introduction to this post may have been slightly glib, but in all seriousness, the more new technology and consequent new ways of doing business are introduced, the more IT departments are going to struggle with the scrutiny of regulators.
There is a monumental hill to climb here. Organizations are still unwittingly compounding their regulatory pain by creating compliance silos and addressing requirements in isolation, rather than adopting a cohesive approach that saves them the time, money and seemingly never-ending spread sheet effort. For example, IRM still sees some clients running PCI programs without thinking to extend the good work done achieving compliance to address additional requirements, such as the UK's Data Protection Act.
Businesses can address this issue by understanding their governance requirements across the piece and mapping controls to allow a holistic view of their Governance, Risk and Compliance (GRC) landscape. Business would therefore be able to reduce regulatory uncertainty and develop common controls applicable to a wide variety of their regulations. There are so many commonalities across regulatory requirements, and these should be taken advantage of, lest an organization's compliance spend spiral completely out of control.
Furthermore, by modeling these requirements and managing them in a central system, it would allow companies to have a much more focused view of their regulatory progress. Not to mention the reduction in the cost of compliance and audit over time by minimizing duplicative spend.
Unfortunately, there is little to be done with regard to the multiple regulators or external compliance bodies joining up to make life easier for organizations. However, I would argue there are a significant number of internal measures a lot of companies can take in order to improve the way they address requirements and in doing so reduce the burden…and silence the violins.
If anyone is interested in exploring some of the reasons that have given rise to this situation and reading some detailed advice on real steps to bring about greater cohesion between compliance and security, IRM has written a whitepaper on the issue.
Sean Arrowsmith is IRM’s commercial director. He is responsible for agreeing, achieving and maintaining all of IRM’s commercial relationships. He has over ten years of experience in the information security industry – meeting the requirements of various industry sectors, such as retail, banking, gaming and gambling, healthcare and the public sector. His expertise lie in understanding C-level individuals' concerns and the desire to transform their company’s information security function.