All Blogs

5 Ways Compliance Can Earn Security’s Respect

Sharon Silver
August 31, 2022

Remember the show “The Odd Couple”? Even if you don’t remember the original series, you may remember the 2015-17 remake with Mathew Perry and Thomas Lennon. The plot – two guys get kicked out by their wives and move in together. And here's the hook: They are complete opposites. Felix is neat, Oscar is messy. Felix has “sophisticated” taste. Oscar is basically a heathen. But even when they disagree—which is every episode, obviously—they make up and are begrudging friends by the time the end credits roll.

In business, though, it’s not great when different departments fail to see eye to eye, especially if one group devalues the other, even ever so slightly. Take Compliance and Security people. Compliance and Security professionals often come from different backgrounds, with different skill sets. And while definitely not polar opposites like Oscar and Felix, and while both groups perform essential work for the business, it sure does seem like Security people often fail to appreciate the value of the Compliance team. 

How to Get the Respect Your Team Deserves

So what can you do to change the perception? It’s a basic tenet of human relations: You can’t change other people, even when their perception is misled. If you want to get more respect, the quest starts by considering how you can bring more perceived value.

Here are a few suggestions to start you off:

Get More Technical

The first way to get more respect is by knowing more about what the Security people know, i.e., get more technical. If you want to have a meaningful conversation with the Security team about a deeply technical area, you need to understand it well. Pick a few areas in which to become more of an expert, choosing areas germane to both Compliance and Security. A suggested area: Identity Access Management (IAM). You’ll go a long way toward earning respect by speaking the same language Security speaks about IAM and you’ll get Security to care about it in the same way you do. 

You probably won’t be as technically knowledgeable as Security is in every area, but getting more technical in specific areas is a good start. You’ll have more productive conversations and a better understanding of the actual risks, beyond mere controls and paperwork. This greater understanding will allow you to discuss a huge area of concern to your business—how it’s securing assets. Both Security and Compliance care about this, so if you can both share the data that matters, the better it’ll be for your business.

Lean in and Help 

Security professionals are passionate about drawing attention to pressing issues. Compliance pros, on the other hand, excel in bringing order and regimentation, approaching problems in an  analytical way. So here’s a chance for symbiosis, wherein Compliance can help structure how Security approaches problems. For example, look at vulnerability management. Both Compliance and Security professionals are concerned, but from different perspectives. Compliance could offer to set up a structure that ensures scans run on a regular basis and that the control works the way it should. That’s one way Compliance can become a valuable part in increasing the company’s overall security posture.

Make Security Look Good in Front of the Board

As the group often tasked with risk management, the Compliance team can help Security report results in a way that’ll be more meaningful to the board in terms of showing relevance to the business—the impact of their findings, the alternatives for remediation, etc. 

As one example: Compliance maintains a risk register, a repository of information about known risks. A Security team is generally less likely to have an up-to-date, comprehensive risk register. When it comes to presenting to the Board, Security’s technical expertise may nevertheless fail to prepare them for answering the board’s questions about how the company is scoring risks and how scores have changed over time. By sharing risk information with Security, you can help Security prepare for board-level presentations. 

Leverage Automation to Spot Issues

Putting out fires is exciting. It’s a whole lot less exciting to keep fires from happening in the first place. But in this sense, you can help Security focus on risks that are unexciting, but still threaten the company. 

One way to do this is with automation to make handling necessary but rote work easier and faster. Security teams are familiar with automated alerting tools, but may be less familiar with using automation to replace everyday manual work. Compliance can help Security automate high effort/low value areas, so Security can devote efforts where they matter more.

Here’s another way you can help Security; look at vulnerability management tools, which periodically produce vulnerability lists in order of priority. Going down that list on a regular basis and vulnerabilities is boring and time-consuming, but for the company’s safety, and from a Compliance perspective, it’s essential. The problem is when lists get created but vulnerabilities don’t actually get fixed, leaving businesses open to breaches. If, for example, the Compliance team uses automation so that the list of priorities show up on the Security team’s dashboard every day, without Security having to pull the list, it can encourage Security to focus on known vulnerabilities, even when there are other lower-priority “breaking news” threats that would otherwise draw their attention away. So Compliance can use automation to help Security do its job.

Have a Heart-to-Heart with Security

As the Compliance leader, you can make sure Security understands the importance of your team’s work. Explain to Security that when Compliance does its job well, security is strengthened. For example, when it comes to IAM, Security may assume that, based on controls, people truly have only the access permissions they’ve been granted. But you know the nitty-gritty details. You know, because every quarter you review everyone's access and will see when someone has access permissions beyond what they should have. In this way, your team is monitoring whether essential security controls are actually working.

You’re an All-Star Team – Let Security Know It

Security and Compliance might be kind of an odd couple (let’s not say who’s Felix and who’s Oscar), but one thing is pretty clear – you can’t live without each other. Using our suggestions, you can help your team become more valuable to, and valued by, the Security team and thus, the entire organization.

Sharon Silver
Lawyer-turned-CPA-turned-Writer-turned-Compliance-enthusiast. Lover of words. Fixer of mistakes. Content Specialist at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.