Remember the show “The Odd Couple”? Even if you don’t remember the original series, you may remember the 2015-17 remake with Mathew Perry and Thomas Lennon. The plot – two guys get kicked out by their wives and move in together. And here's the hook: they are complete opposites. Felix is neat, Oscar is messy. Felix has “sophisticated” taste. Oscar is basically a heathen. But even when they disagree — which is every episode, obviously — they make up and are begrudging friends by the time the end credits roll.
In business, though, it’s not great when different departments fail to see eye to eye, especially if one group devalues the other, even ever so slightly. Take Security and Compliance people. Compliance and Security professionals often come from different backgrounds, with different skill sets. And while definitely not polar opposites like Oscar and Felix, and while both groups perform essential work for the business, it sure does seem like Security people often fail to appreciate the value of the Compliance team. For your business to truly succeed, it is crucial to have Security and Compliance working together.
So what can you do to change the perception and align your Compliance and security teams? It’s a basic tenet of human relations: you can’t change other people, even when their perception is misled. If you want to get more respect, the quest starts by considering how you can bring more perceived value.
Here are a few suggestions to start you off:
The first way to get more respect is by knowing more about what the Security people know, i.e., get more technical. If you want to have a meaningful conversation with the Security team about a deeply technical area, you need to understand it well. Pick a few areas in which to become more of an expert, choosing areas germane to both Security and Compliance. A suggested area: Identity Access Management (IAM). You’ll go a long way toward earning respect by speaking the same language Security speaks about IAM and you’ll get Security to care about it in the same way you do.
You probably won’t be as technically knowledgeable as Security is in every area, but getting more technical in specific areas is a good start. You’ll have more productive conversations and a better understanding of the actual risks, beyond mere controls and paperwork. This greater understanding will allow you to discuss a huge area of concern to your business — how it’s securing assets. Both Security and Compliance will be working together to share the data that matters, and make it better for your business.
Security professionals are passionate about drawing attention to pressing issues. Compliance pros, on the other hand, excel in bringing order and regimentation, approaching problems in an analytical way. So here’s a chance for symbiosis, wherein Compliance can help structure how Security approaches problems. For example, look at vulnerability management. Both Compliance and Security professionals are concerned, but from different perspectives. Compliance could offer to set up a structure that ensures scans run on a regular basis and that the control works the way it should. That’s one way Compliance can become a valuable part in increasing the company’s overall security posture.
As the group often tasked with the continuous risk management process, the Compliance team can help Security report results in a way that’ll be more meaningful to the board in terms of showing relevance to the business: the impact of their findings, the alternatives for remediation, etc.
One example: Compliance maintains a risk register, a repository of information about known risks. A Security team is generally less likely to have an up-to-date, comprehensive risk register. When it comes to presenting to the board, Security’s technical expertise may nevertheless fail to prepare them for answering the board’s questions about how the company is scoring risks and how scores have changed over time. By sharing risk information with Security, you can help Security prepare for board-level presentations.
Putting out fires is exciting. It’s a whole lot less exciting to keep fires from happening in the first place. But in this sense, you can help Security focus on risks that are unexciting, but still threaten the company.
One way to do this is with Compliance automation to make handling necessary but rote work easier and faster. Security teams are familiar with automated alerting tools, but may be less familiar with using automation to replace everyday manual work. Security and Compliance working together can help Security automate high effort/low value areas, so they can devote efforts where they matter more.
Here’s another way Security and Compliance can collaborate; look at vulnerability management tools, which periodically produce vulnerability lists in order of priority. Going down that list on a regular basis and reviewing vulnerabilities is boring and time-consuming, but for the company’s safety, and from a Compliance perspective, it’s essential. The problem is when lists get created but vulnerabilities don’t actually get fixed, leaving businesses open to breaches. If, for example, the Compliance team uses automation so that the list of priorities show up on the Security team’s dashboard every day, without Security having to pull the list, it can encourage Security to focus on known vulnerabilities, even when there are other lower-priority “breaking news” threats that would otherwise draw their attention away. So Compliance can use automation to help Security do its job.
As the Compliance leader, you can make sure Security understands the importance of your team’s work. Explain to Security that when Compliance does its job well, security is strengthened. For example, when it comes to IAM, Security may assume that, based on controls, people truly have only the access permissions they’ve been granted. But you know the nitty-gritty details. You know, because every quarter you review everyone's access and will see when someone has access permissions beyond what they should have. In this way, Security and Compliance are working together to monitor whether essential security controls are actually doing what they’re meant to.
Security and Compliance might be kind of an odd couple (let’s not say who’s Felix and who’s Oscar), but one thing is pretty clear – you can’t live without each other. Using our suggestions, you can help your team become more valuable to, and valued by, the Security team and thus, the entire organization.
Security and Compliance working together is just one of the ways your different departments can collaborate to ease the workload and take your organization to the next level. Reach out to the Compliance experts at anecdotes and discover how data-driven automation can enable your teams to work together, helping each other to guarantee the best results.