Richard Shaw explains that, with constantly changing regulations, CIOs need to actively manage compliance.
by Argantic director Richard Shaw
One of the biggest challenges for CIOs today is keeping up-to-date with constantly changing regulations. This is largely due to the dynamic nature of the compliance landscape.
While compliance with regulations like the Protection of Personal Information Act of 2013 (POPIA) and General Data Protection Regulation (GDPR) come with hefty price tags, the alternative is far more costly.
According to a study by the Ponemon Institute and Globalscape, being compliant will cost less compared to business disruptions, loss of revenue, and hefty fines. The cost of non-compliance is more than twice that of compliance costs.
In fact, this report finds that the cost of non-compliance is nearly three times higher than the cost of compliance. Organisations that delay compliance efforts are taking an ill-advised risk which could ultimately yield a pricier penalty.
Managing compliance
Many companies rely on periodic assessments, like annual audits. However, these periodic assessments create a digital blind spot, they can quickly become outdated and could expose the company to potential risks until the next assessment is done.
CIOs and CISOs should find ways to improve integration and create near real-time assessments to control risks caused by digital assets. They normally know the technology solutions but find regulations difficult to understand.
In contrast, compliance and legal teams are normally familiar with the regulations but struggle to understand the technology that could help them comply. Many of these teams still try to track compliance manually by using general purpose tools like Excel.
There are many complexities in managing compliance activities and this often hinders adoption. The biggest challenge is understanding how to integrate various solutions and to configure each one to minimise compliance risks. This becomes exceptionally difficult when solutions are sourced from various vendors and especially when they have overlapping functionality.
Managing data
Businesses are generating and consuming much more data than ever before and their digital transformation journeys are geared to help them gain an edge over their competitors. This data enables them to stay relevant by empowering their employees, engaging customers and optimising operations. However, managing this data on various devices can be extremely complicated, especially when it comes to ensuring compliance.
Not only is the amount of data growing exponentially, but legislation and regulations on how to manage that data are also becoming more complex. Collecting customer information is an integral part of how businesses function, but it remains a challenge to maintain and protect this personal data.
Non-compliance could result in significant fines and it could also have a significant impact on a company’s brand, reputation and revenue.
Simplify compliance
Business leaders need simple tools that will help them manage compliance. There are end-to-end compliance management solutions that empower companies to simplify compliance, reduce risk and meet global, industry and regional compliance regulations and standards.
These solutions translate complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements.
They help CIOs and CISOs TO prioritise work by associating a score with each action, which accrues to an overall compliance score. Compliance management solutions provide pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet a company’s unique compliance needs. Assessments are also available depending on the licensing agreement.
They also offer workflow functionality to help one efficiently complete risk assessments. Compliance management solutions provide detailed guidance on actions one can take to improve the level of compliance with the standards and regulations most relevant for one’s industry.
A risk-based compliance score also helps business leaders understand their compliance posture by measuring their progress IN completing improvement actions.
Shared responsibility
Businesses that run their workloads on-premises are entirely responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, the responsibility becomes shared with the cloud provider, who is ultimately responsible for the security and compliance of their data.
Businesses no longer need to spend resources building data centres or setting up network controls, there are Software-as-a-Service (SaaS) solutions available to manage controls relating to physical infrastructure, security, and networking.
With this model, businesses manage the risk for data classification and accountability – and risk management is shared in certain areas like identity and access management. More importantly, because responsibility is shared, transitioning one’'s IT infrastructure from on-premises to a cloud-based service significantly reduces the burden of complying with regulations.
Compliance score
Compliance management tools help business leaders prioritise which actions to focus on to improve their overall compliance posture by calculating their compliance score. The extent to which an improvement action affects one’s compliance score depends on the relative risk it represents.
A compliance score measures the progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. The initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards.
While the Data Protection Baseline is a good starting point for assessing one’s compliance posture, a compliance score becomes more valuable once assessments relevant to the specific requirements of the company are added.
Filters can also be used to view the portion of one’s compliance score, based on criteria that include one or more solutions, assessments and regulations.