Making a movie is an interdependent process.
You've got a director waving around a megaphone, instructing this person to get that, that person to run there, and those people to do something else. It’s a web of activities, wherein each person must do their part to progress as a whole. And then there’s the producer waiting in the wings, checking that production goes as planned, the budget stays on track, and the release is on time.
If one person drops the proverbial ball, or is too busy to pitch in, this interdependent process grinds to a standstill.
It's not so different in Compliance (sans the glamorous events and paparazzi).
There’s a director (you), waving your megaphone (okay, iPhone) frantically at your R&D Manager, the Head of HR, DevOps Lead, and a few others, trying to get what you need to move ahead with audit preparations. And there’s the Board hovering close by, waiting to hear that SOC 2 is in the bag, ISO 27k is a sure thing, and oh yes, you’re *this close* to meeting PCI-DSS.
And if one of your stakeholders ignores your pleas for assistance, everything comes to a stop. To make things more complicated, while a movie crew shares the same goal of making the film and raking in lots of money, your stakeholders don't necessarily share your goals. Fulfilling Compliance requirements is dependent on others, all of whom have their own core functions to perform—and understandably, your requests and favors are not always their highest priority.
Take evidence collection, for example. Preparing for an audit requires gathering evidence from systems across the organization. This setup means you must repeatedly ask stakeholders for crucial information, placing a continuous and significant burden on them, on top of all their regular work. Repeatedly badgering Heads, Managers, and Leads for evidence consumes both their time and yours. It eats valuable resources that could be used to support key activities and moreover, it positions Compliance as an impediment to innovation and growth.
Then there is the need to bring in outside consultants. Each framework has so many details and nuances; PCI-DSS, for instance, includes some controversial expected controls such as scanning for WiFi signals. Does that mean scanning on the premises or scanning for a WiFi dongle that may be connected to a sensitive server? Then there is SOC 2, which is based on the Trusted Services Criteria; Who understands the meaning of “COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action” on their own?
So the typical approach is to hire outsiders to translate these esoteric controls into an understandable format. But this means you’re subject to their busy schedules, which may or may not suit your audit prep plans. What if they just happen to be on vacation when you need them? What if they’re out sick or simply too busy to help when you need them?
Recently, we asked a few Compliance professionals across multiple industries about their greatest frustrations around being dependent on others. Here is what they had to say:
“I hate playing hot potato, with every department head thinking that the responsibility is on the head of another department. Then you become a kind of arbitrator, trying to get others to commit to taking responsibility.” -- Security Director from the Defense Industry
“It’s all about timing and collaboration….not everyone can always help you the minute you ask.” -- Ex-Compliance Manager at a billion-dollar startup
“It’s so frustrating to work internally with people who do not appreciate and understand the need on one hand, while on the other, you get an auditor who is lacking in technical expertise...who just scheduled a meeting with you and a technical staff member. What a shame!” -- CISO at a financial institution
These frustrations make sense; they are the natural byproduct of needing to depend on others to get your own job done.
“There is no dependence that can be sure but a dependence upon one’s self.” - John Gay
This 1800’s British poet probably wasn't a Compliance Manager, but he was definitely on the right track. If your Compliance processes are dependent on others, there’s a good chance it may come to a screeching halt—or at least a slow crawl every now and then.
This is the case for constructing your Compliance efforts as a one-person show, a process that you own, so no one and nothing can hold it back or negatively impact progress. With the right tools, you can remove dependencies on others, to finally ensure that you're never stuck waiting endlessly for others to take care of their Compliance responsibilities.
By automating evidence collection, teams can prepare for audits without the need to rely on, and continuously bug, others. And with automation, your team doesn't need to understand specific clauses or hire a consultant to explain them. Out-of-the-box control translation and evidence-to-control mapping make understanding requirements simple and straightforward. You never have to worry that a stakeholder or consultant may not be available to help when you need them and most of all, you don't need to worry about painting Compliance as a time-waster.
Compliance should be about establishing guidelines for optimal security practices. With the right set of tools, you can remove dependencies, thus reducing costs and time investment—so you can finally focus on your primary goals and get back to what matters most.