Maintaining compliance is a difficult job -- both in scope and in practical application. There is a vast array of regulations that organizations need to comply with, and the number is constantly increasing. Determining which ones apply to a company depends on organization-specific factors such as vertical industry, geography, type of business services performed and data collection activities, to name just a few. In application, it's also difficult because the personnel closest to the specific technology involved in meeting key regulatory compliance requirements are often outside of the compliance team's direct management responsibility, while the output of their activities is very much within it.
As an example of this last point, consider a regulation like the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes very specific standards and implementation specifications that govern what compliant organizations must have in place in terms of security controls, including data encryption, technical monitoring and user account requirements. For the majority of the covered entities, compliance teams are chartered with ensuring that these specifications are addressed. Many of these same teams, however, do not have direct oversight over the implementation, operation or monitoring of the technologies that they address. Instead, these technologies may be under the purview of information security teams, under the auspices of broader IT, outsourced to service providers or run by other departments.
This situation has the potential to lead to an adversarial relationship between the compliance and security departments. Compliance teams sometimes feel that their concerns go unheeded, for example, when a requirement remains unaddressed despite investment in other areas. By contrast, technical or security personnel may look at compliance activities as siphoning budget from investments that reduce technical risk. This can be a challenging situation, but there are strategies to help overcome these hurdles or even ensure that they don't arise in the first place.
Strategy one: Budgetary alignment
Many times, budgetary and spending considerations are a key element of the friction between compliance and security teams. Despite the prevalence of this contention, very rarely is budgetary planning a joint activity that includes both stakeholders. Combining the two departments during budgetary planning can help, particularly when planning spans multiple years. Any plan that goes beyond the current budgetary cycle will obviously need to be somewhat malleable, but the exercise of putting it together is in itself useful.
Benefits of setting a multi-year strategic plan that addresses budget and spending include allowing prioritization decisions, even fractious ones, to be negotiated well ahead of time. It also allows soft costs like staffing considerations and controls operationalization to be accounted for. The point is that agreeing on budget priorities jointly can ameliorate disagreements, nip subsequent resentment about specific investment decisions in the bud, and decrease the amount of adjudication required by management and/or governance teams when departments don't see eye to eye.
Strategy two: Strategic alignment
Implicit in the above strategy is an alignment -- or at least a tentative agreement -- between the goals for both the compliance-focused part of the organization and its security teams. As a part of that effort, another useful approach is to explicitly conduct strategic planning that address both compliance and security goals. Specifically, setting a mission for both teams that acknowledges and, where practical, even includes the core objectives of the other can help reduce workload and increase efficiencies on both sides. When these goals are aligned, opportunities for collaboration can emerge that wouldn't be seen otherwise.
For example, including measurable risk reduction as a goal for both departments helps simultaneously address compliance and security requirements. Many regulatory requirements require a risk-based approach anyway, but a joint effort to figure out how to measure, weigh/prioritize and report on that risk can obviate some sources of contention.
Strategy three: Control alignment
Lastly, there are sometimes disagreements about the order in which controls should be prioritized in terms of time and budget. But when examined closely, very often the specific controls required under governing regulatory requirements also provide security value. In addition to alignment on budgets and overall goals, it's also helpful to approach specific controls as a joint activity between security and compliance. Specifically, the two departments should discuss what controls are needed and where.
The goal is to create an inventory of controls that are already in place and those that are desired for the future. Understanding what you have in place now allows you to analyze and document current controls that have overlapping security and compliance benefit. It should also identify areas where there are controls you desire but do not have currently in place. Knowing what you'd like to have but don't allows you to find overlapping areas where both security and compliance goals would be forwarded with one investment. This helps you build a stronger business case, and if combined with budgeting exercises, might even open up creative ways to fund it.
About the author:
Ed Moyle is director of emerging business and technology at ISACA. He previously worked as a senior security strategist at Savvis Communications and a senior manager at Computer Task Group. Before that, he served as a vice president and information security officer at Merrill Lynch Investment Managers.