Who's in charge of compliance in your organization? Is it your in-house legal counsel? If so, you're not alone. Many businesses, especially in larger enterprises, tend to have a lawyer heading up compliance.
In my opinion, that may not be the ideal person to have running the show. I understand we don't do business in an ideal world, and you're likely to never have the "perfect" person as a compliance officer. With that said, business leaders need to be smart about whom they put in charge of compliance. With the astronomical costs associated with compliance, they have to be.
This leads me to my thoughts on lawyers and compliance. First, let me be clear: I have the utmost respect for lawyers, both in what it takes to become successful in the legal field as well as how their executive-level expertise is integral to running a business. I work with lawyers very closely as an expert witness and quite often in my consulting work. I also have friends who are excellent corporate attorneys. The problem I'm seeing in my work and in the industry in general is that lawyers are put in charge of end-to-end compliance when they're often not the best person for the job.
Compliance is a very complex business issue, with components that include IT operations, information security management, privacy management,
Many lawyers in compliance officer positions focus on the legal and regulatory components of compliance and nothing more. They want to know simply, "Are we compliant?" in order to relay that message onto management. In many situations they create data classification documentation, review security policies and ensure internal auditors keep IT controls in check -- but it ends there. Sometimes overlooked are information risk assessments, vulnerability management, incident response, disaster recovery, access controls and encrypting data in transit and at rest -- all of which are key components of legal and regulatory compliance. Gaps in compliance coverage are a main contributor to the data breach problem that grows every day.
Don't get me wrong: I don't think it's ideal to have a network administrator or information security manager as a compliance officer, either. Many people who fall into this category view compliance with their blinders on as well. They often see compliance merely as a technical issue: patching, conducting security scans, ensuring servers and applications are available and so on.
Nor is it ideal to have a general business manager or auditor who's not technically savvy in charge of compliance. Such people may understand policies and controls and are often good with user education, but there's that large technical component that can get overlooked.
The reality is many compliance managers -- lawyers, IT staff, you name it -- are missing the boat with compliance. I can't tell you how many times I've seen businesses with "compliance managers" who were completely out of the loop on state data breach notification, PCI DSS and even the very information security assessment work I may be performing for their businesses.
The reality is that most lawyers are very good at what they do, but they're not necessarily information security and privacy experts. Likewise, information security experts are often very good at what they do, but they often don't understand the regulatory and legal side of the business. We have to strike a balance. It pays to have a governance/compliance committee with several key players on board and making decisions. There has to be an individual heading up compliance management, but this needs to be a person with the right tools and wisdom.
I believe the compliance officer should be someone with a technical background who understands the value of a solid control framework, strong security and privacy-related documentation; communicates well with management and users; and is eager to stay on top of the compliance landscape. It may seem too ideal to find in an employee, but I know these people exist. I have a good friend who fits this mold and I meet others like this as well, so I know they're out there. It's really a matter of understanding the overall compliance needs of your business and the skill sets required.
Business leaders of the world, think this one through. Focus on minimizing your investment in compliance while maximizing its effectiveness, rather than being just another business contributing to the compliance imbalance. Find the right person, regardless of what degree or professional license he possesses.
Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver can be reached at firstname.lastname@example.org.
This was first published in May 2009