Thanks for stopping by for the next Compliance Myth! In the last post, Intreis Myth Busters tackled the myth “Technology will make us compliant”. In this 9th installment, we’ll challenge the often mistaken excuse “We don’t have enough resources to achieve compliance”.
Sound familiar? It seems that the easiest response to meeting the compliance challenge is to ask for more staff or more money. That may not always be necessary. Be creative! Take the challenge head on…show how valuable IT can be.
Be more than “re-boot robots.”
Like technology, IT must continue to evolve. If you ask for additional staff or funds without first investigating alternative options, you will lose credit…and it may dampen the chances of similar requests in the future. Recognize that tasks and focuses can and will change, as the technology and business changes. Be proactive in assessing these needs!
This excerpt from Computer Economics, Research Byte: IT Security Staffing Ratios: 2011, presents an interesting perspective on this issue:
“IT Security Staffing Ratios” states that IT security is hiring the same amount of security staff as they were several years ago – even with the higher attention towards security lately… IT organizations are strengthening network and data security without expanding the number of IT security professionals on their staff.”
Ultimately, their conclusion is that you do not necessarily have to increase staff to maintain strong security and compliance. So, where do you begin? Based on my experience and research on this topic, I have identified several strategies and methods that may provide insight into achieving compliance with existing staff and budget. Begin by challenging what is already in place…
Remove Complexity
Complexity is generally associated with increased risk and cost. Be sure to scrutinize the complex processes that might be weighing down your organization, and simplify where you can. Focus on what is critical, necessary, and acceptable to the business. Eliminate the rest, if possible.
Strive for balance between effectiveness (service level) and efficiency (ratio of cost to risk). Often, staff members are wasting time on nebulous activities, when they could be focused in a more productive manner. Minimize non-productive tasks with the use of documented best practices, but be careful that you don’t go so far as to ‘recreate the wheel’. Use simple methods and tools to identify priorities, such as a risk matrix. The matrix can visually represent the severity, probability, and detectability of risk. Based on risk appetite, the business can determine what to manage, mitigate, and control.
Re-evaluate Your Staff
While you are looking at removing complexity from processes, consider how to apply the same concept to your staff. Use creativity to change how you think and work. Explore the existing staff, by asking these questions:
- Who has extra bandwidth?
- What skills will be needed to accomplish compliance initiatives?
- Who has those skills, or the ability to learn them?
The action of reassigning responsibilities can have a critical and positive effect on productivity and staff morale. If nothing else, optimize your resources to focus on the critical tasks vs. the redundant, less significant tasks. It’s also important to keep up with current technology trends and best practices. Can the staff add value by taking advantage of existing technology, in a new way? Focus on being in line with business needs and retrain staff to have the skill sets that can address those business needs. Ideally, you want to build a flexible, accountable, and motivated team.
So now you have streamlined processes and built a team ready to make a difference. What’s next?
Automate, Automate, & Automate!
Once you have determined what is needed to meet compliance requirements, automate them wherever you can. Automation of repeatable and redundant compliance tasks can minimize control costs, by finding the commonality between compliance requirements. Consider ground breaking tools like Network Frontier’s Unified Compliance Framework (UCF), which can help you maximize your efforts by using a one to many approach to meet requirements. Ongoing and incremental improvements using automation of tasks, enables realization of productivity gains. This frees up resources for tasks that will further the business goals, thereby demonstrating that IT can be an agent of enablement to reach business goals.
There are many IT tools in the market that automate compliance efforts and tasks. As they are by nature repeatable, some existing ITSM tools integrate IT Governance, Risk, and Compliance tasks. Processes like Change, Incident, and Problem Management, Automated Job Execution, and Scheduling can work in conjunction with each other, by sharing common data. Whether you use an existing tool or not, automation can be achieved with practices that are commonplace in the IT environment today.
Governance
Governance must be in place to manage these efforts. There must be ownership and accountability to ensure controls are implemented properly and a method is in place for continued awareness. Invest in the future of your business by managing compliance as though it were an ongoing program vs. a project with a specified timeline. With an active Governance, Risk and Compliance program in place, results can be seen across all areas of the business, such as improved operational support (responsibility), process control methodology (transparency), and content control (indisputable trail of evidence). Those results will inherently provide the appropriate oversight and insure continuous process improvement.
Bust that Myth!
By using some (or all) of these strategies and methods to optimize staff and budget, you will demonstrate that IT is in partnership with the business, rather than a cost center. Both IT and the business share a common goal, the success of the enterprise. Efforts, such as those mentioned above, can and should be made to work in conjunction with each other.
That wraps up the 9th Compliance Myth debunked by Intreis Myth Busters. Next week we’ll cover “Compliance is largely an IT problem.” That will be our 10th and final post in the series….unless you’ve got a Compliance Myth that we haven’t covered yet! Share it with us below, or tweet us !