Maurice Hampton
Maurice Hampton

I am still amazed by the number of organizations that still don't have all of the right people working toward a singular goal of compliance for the organization, says Maurice Hampton, information security & privacy services leader, Clark Schaefer Consulting.

In my years working in the security industry, I have noticed one consistent theme: Information security team strategies, budgets and activities are frequently driven by, or at least heavily influenced by, the need to comply with some regulatory requirement. While this may sound elementary to many readers, I am still amazed by the number of organizations that still don't have all of the right people working toward a singular goal of compliance for the organization. In many cases, the information security function takes on this role simply because no one outside of internal audit has the controls experience required. So let's look at regulations for what they are. Regulations should be thought of as just another set of controls that need to be in place to protect something. When attempting to determine how to comply with multiple regulations, the first step is to break down each regulation into individual controls. When you do this, you will find that many of the regulations are saying or requiring the same thing. As a result, the individual controls that have been identified in each regulation will need to be rationalized into one common control set.

Of course information security likely will not have experts on all regulatory requirements, so it is critical that those responsible in the department act as the internal ambassador to bring all of the necessary areas of expertise to the table. When the teams have been assembled, it will be very important to make sure that the individual representatives take ownership for their part of the entire effort. One way to do this is to make each member responsible for not only the identification and breakdown of regulatory requirements into controls, but also the ongoing maintenance and monitoring of their area of specialty in the overall effort. The goal of this is to create an organized program of compliance with the necessary support and credibility that it will need to succeed.  

Trying to put together a compliance program like this will generate countless hours of discussion and debate. When the talking has ended, it is necessary to capture all of the process, controls and regulation information in a location that can be easily accessed and maintained. If your organization has the programming resources to build a solution, or already has some sort of collaboration tools in place to facilitate this, you are ahead of many. In most cases, it will be easier to acquire a purpose-built solution to jumpstart your compliance effort. These solutions make managing the compliance process from beginning to end much easier as you will have the benefit of years of forethought and development, frankly at someone else's expense.

Bringing this full circle, information security organizations should spend time in the beginning creating a compliance program as opposed to reacting to ad-hoc requests and one-off efforts to force changes in behavior. Not only will your organization likely spend less time and money complying with the regulations and standards, you will be viewed as a thought leader playing a critical role in the success of the organization and providing a measurable impact to the bottom line. This will go a long way in demonstrating the team's value to the business outside of IT. It should also make the conversations a little easier the next time the budget cycle comes around.