Pulsant: Never-ending compliance
This article was originally featured as an industry analysis article in the April 2018 issue of LPM. To read the issue in full, download LPM.
Javid Khan, chief technology officer of Layer V, a Pulsant brand, discusses the challenges that firms face when it comes to achieving and maintaining compliance using people, process and technology.
Many companies see compliance as a journey. The problem with that is a journey typically has a beginning, middle and end. Compliance is not strictly a tick-box exercise, as many firms now realise with the rapid approach of the GDPR compliance deadline. Nor is it a static endeavour. Businesses change, the industry changes and so too does the regulatory landscape – all of which mean that achieving compliance is just the first step. And of course, this means that achieving compliance becomes a challenge. Compliance is an organisational mission – it covers your people, your processes and, importantly, your technology. Getting it right in one area won’t matter if the other areas are lacking.
In this journey then, there are additional steps, beyond achieving compliance, that many of us fail to recognise. Regardless of regulation, Payment Card Industry Security Standards Council (PCI), ISO27001 or GDPR, compliance is about putting the procedures and controls in place to meet those regulatory requirements, ensuring your staff are onboard with what needs to be done and how compliance affects them, and then continuing to monitor and track your status with a view to maintaining that compliance. In effect, it’s continuous compliance.
And here’s the challenge. From a risk, cost, resourcing and time perspective, maintaining compliance isn’t easy. Specifically from a technology point of view, the more regulations you need to meet and the more data sources you have, the more difficult it is to maintain that overall view of compliance and where your firm actually stands.
Just do it
Taking a step back, what happens when you don’t meet compliance? Broken customer, investor and stakeholder trust, loss of business, loss of revenue, and often fines. Looking at GDPR, one of the main drivers for compliance has been the much larger fines imposed for non-compliance or for experiencing a breach as a result – respectively, up to 4% of global annual turnover or £20m, whichever is greater, and up to 2% of global annual turnover or £10m, whichever is greater.
And it’s not just global corporates that suffer. Regardless of industry or size, compliance (or lack thereof) affects you. Of course compliance ties to larger issues as well, such as cybersecurity. Getting the processes and best practices in place as part of a compliance programme often overlaps with basic cybersecurity principles, such as patching. While one doesn’t replace the other (compliance isn’t cybersecurity), there is a correlation. To put things into perspective, in its annual PCI compliance report, Verizon stated that not one of the organisations that suffered a data breach was fully compliant at the time.
So while no one disputes the importance of continuous compliance, are there any firms getting it right? Again, looking at the technology side, continuous compliance isn’t a new term and it’s something that many businesses are already doing in one form or another. Typically, what this means is that organisations manually bring together data from multiple compliance tools because there’s no real method of making these disparate systems work together. You may have a large, capable team, but are they helping your organisation comply in the most efficient way?
As mentioned, the main challenges of continuous compliance are cost, time and resources. Also, size of regulatory frameworks, growth of your business and understanding within it, are significant barriers that need to be addressed.
Risk management and compliance frameworks are themselves difficult to manage. If you consider just how many requirements within each regulation need to be met (the US NIST Cybersecurity Framework features more than 400 requirements, for example) then you see the scale of the problem. Now, if your organisation has more than one framework to comply with, the problem is even greater. How do you ensure that your firm remains within compliance and meets each and every single one of those requirements?
Your business is also affected by internal and external changes, which means each change has the potential to impact compliance. Looking specifically at IT compliance, staff turnover and the onboarding and offboarding of team members can have a significant impact on compliance in terms of software licensing and hardware used. In the same vein, the market around your business changes too, especially when it comes to technology. All of this needs to be taken into account.
Importantly, your staff, particularly your senior team and board members, need to fully understand what compliance actually means, what it applies to and who is responsible for it. This includes the allimportant questions of what should be monitored, when this should happen, how it’s reported on and, perhaps most crucially, how you can prove compliance. In addition, IT teams may not have the right skillset to translate compliance and controls in the physical world to the virtual world.
For continuous compliance to be successful, there needs to be some element of technology consolidation, normalisation and automation in bringing all those data sources together in a seamless way. And you need a method of gaining an overarching view of your IT infrastructure. From there it is all about what you do with the data, what reports you can dynamically generate and what information you have on hand to effectively manage and monitor all aspects of compliance.