Blog post

Murdering Compliance in Cold Blood

By Paul Proctor | April 01, 2013 | 2 Comments

Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach.

Organizations must develop a mature risk management program and approach to effectively manage IT risk and security through well designed, implemented and executed controls. The goal of this program should be to balance the needs to protect the organization against the needs to run the business. Compliance should be treated as a domain of risk within this program and should not be allowed to drive decision making. Compliance is an outcome of a well-run risk management program.

Responding to regulatory mandates can result in a focus on addressing the mandate, and not the protection of the organization. Compliance has become a panacea for many organizations to describe whatever actions they take to address risk and security, because they have a regulatory requirement to do so. In many organizations, the security team reports into the compliance function and this is counterproductive.

Stop Trying to Be Compliant, Because That Isn’t What the Laws Require Anyway

Compliance mandates have been in transition for more than a decade to become risk-based but organizations have not kept pace. They have all transitioned away from a list of controls you must implement (classic compliance approach) to a requirement to do a risk assessment and the implementation of appropriate controls based on level of risk.

HIPAA for example, is not a list of controls that should be implemented. It is a list of risk domains with the requirement to do a risk assessment and determine which controls are reasonable and appropriate to address reasonably anticipated risks. Any controls deemed reasonable and appropriate are then required by law. In a 2012 series of spot check audits for health care organizations in the United States, most failed, not because of a lack of controls, but for the lack of a recent risk assessment to support their control implementation choices.

This approach gives organizations the flexibility to do what is necessary for their unique situation and create a program of controls that actually help the organizations succeed. Too often organizations still treat compliance activities as a check-box exercise with little regard for the related risks they are intended to address.

Stop Chasing Your Tail On Specific Regulations, Regulatory Distraction Must End

Most organizations are so buried in risk and security compliance requirements that they can’t keep up with all of them. In the United States, an organization must address a patchwork of state regulations for the protection of personally identifiable information (PII) and breach notification, industry specific regulation (HIPAA, NERC-CIP, GLBA, CFR 21 Part 11, etc), and emerging federal requirements. Global enterprises have a patchwork of privacy and security requirements that vary greatly from country to country. All of this creates a level of regulatory distraction that makes success almost impossible.

Gartner recommends organizations create a formal and defensible program of controls based on the specific situation and risks unique to each organization. The rules and laws should then be mapped into the controls that have been proactively selected and a defensible case made that the laws are being appropriately addressed. As stated earlier, this risk-based approach is what most of the laws require in any case. Real gaps can be identified and addressed.

Treated in this manner, compliance becomes just another silo of risk that is addressed as an exercise in mapping and defensibility.

Stop Being a Rule Follower and Become a Risk Leader

Rule followers focus on compliance as a way to avoid negative outcomes and risk leaders focus on ways to adapt to ever-changing risks and achieve positive outcomes. Followers are buried in regulatory distraction that impedes their ability to innovate, perform, optimize and adapt their programs. Followers are busy covering their butts.

Leaders are able to map risk and security dependencies into desired business outcomes and report these risks into the appropriate decision makers. For example, a modern risk and security program can support mergers and acquisitions through proactive due diligence that guides actual integration decisions by non-IT decision makers. That’s influencing the business!

Compliance no longer the driver, Adapt or die

Organizations must inculcate an appropriate level of risk awareness and ownership by those responsible for achieving the desired business outcomes in support of the company’s strategic goals.

Accountability: How do we reinforce the ownership of risk and control within the enterprise?

Action: How can we ensure that employees act in the best interests of the company and within established risk tolerances?

Achievement: What risk metrics are required, and how are they linked to performance metrics to ensure the desired business outcome?

Comments are closed


  • One of the ways to ensure that employees and customers act in the best interest of your company is to involve them early and often in the establishment of risk tolerances. It is imperative that you consider the needs of the company and the needs of your customers in the process. Transparency is key; people don’t like change. It goes a long way to keep users informed of their share in risk management and educate them on why their involvement is good for them. This can work in your favor to strengthen compliance, adoption, cooperation, and customer relations.

  • Jackson Shaw says:

    “Regulatory Distraction Must End”

    Hear hear! I just returned from a meeting with CSOs and lawyers that was hosted in Menlo Park. I think the best quote that came out of a seasoned CSO was: “Just because you can measure it doesn’t mean you should report it.”

    Far too often in IT risk management and compliance we get fixated on dials, indicators, heat maps, BI and all the colors that show everything possible related to compliance. The higher you move up in the organization the simpler it needs to be and the simpler the visualization should be. Showing that you have high risk related to something related to NIST SP 800-30 is crazy but saying you have PII data that is unencrypted is much more salient to an executive.