Murphy's Law states, "If more than one person is responsible for a miscalculation, no one will be at fault." This saying perfectly describes what I often see when it comes to implementing and practicing compliance policy guidelines.
You know the deal -- it's likely similar to the attitudes on display at all those weekly meetings you're forced to sit through. Get enough people involved in a situation -- such as when there’s political tension or jobs on the line -- and no one wants to speak up and stand for what’s right.
When it comes to compliance strategy, consider the number of parties involved:
- Information security
- Internal audit
- Human resources
- Executive management
- Third-party vendors
- Consultants and contractors
With numerous people and departments involved with compliance, it's easy to end up in a situation where the organization has staff looking out for themselves instead of the business's greater good. In life and business, individuals are perfectly selfish: A lot of people are going to do what's best for themselves and their own job security. That's just human nature.
With numerous people and departments involved with compliance, it's easy to end up in a situation where the organization has people looking out for themselves.
This attitude can be extremely problematic when it comes to compliance policy. Compliance has been around long enough for people to understand what's expected and what's at stake, yet it still occurs: the finger-pointing, the buck-passing and the avoidance of compliance responsibility. This is especially true when management is disconnected from the compliance strategy and risk management process: It allows staff to see what they can get away with when it comes to not delivering on their role in the compliance part of the equation.
This attitude can be contagious: Because of the organization-wide reliance on departments meeting their compliance responsibilities, when one compliance process area is lacking, it tends to spread to other parts of the business.
A related problem is when all the right people are not communicating with one another to ensure compliance is being addressed holistically. Like many technical controls that are deployed in any given enterprise, people often work in their own silo, leading to the overall needs and objectives of the business not being met.
Management knows what needs to be done in order to meet a compliance regulation, and often there are people reporting up to it that all's well. But reality shows us that this "all's well" is not the case. One glance at the numerous cases outlined in "Chronology of Data Breaches," a list compiled by the California nonprofit consumer advocacy group Privacy Rights Clearinghouse, will tell you that.
More on compliance strategy
Compliance department role grows as data becomes more valuable
How risk management and compliance processes will evolve
Political and other general self-interests are deadly for IT, security and overall compliance. As with government and politics, all that the individual departments can do is be responsible for their own actions, and try to inspire others to complete their compliance-related tasks.
You need to beware of people doing what's best for themselves and their jobs, but not what's best for the business. Also, never assume that responsibility will automatically translate into accountability. Just because people know what they need to be doing doesn't mean they actually are. It's important to stay diligent as well, because complacency can be very contagious -- especially when it comes to an organization-wide goal such as a governance, risk and compliance strategy. Don't fall into this trap.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored or co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.
This was first published in August 2012