We seem to live in a world dominated by metrics and statistics. I even fall prey to it from time to time. We all want to claim that we have the most, gained the most, stopped the most or otherwise done something that we can defend with the use of numbers! Itâ€™s no different when it comes to compliance.
Itâ€™s no secret that I spend a lot of time helping companies address compliance and privacy through risk assessments, policies and developing effective risk management programs. We have had some Security Catalyst podcast episodes that have addressed some of these areas, and we will have more in the future.
The concern I see now is what I call the â€œwhitewashing of complianceâ€ â€“ when a company simply â€œgoes through the motionsâ€ to claim they have achieved compliance, when they really have done little, if anything, to truly improve their security posture. Not all whitewashing is intentional â€“ some is the result of too much to cover in too little time combined with the need to show results.
Iâ€™ve also started to see a trend where the people responsible for assessing compliance are not fully comfortable with the requirements, and therefore unable to properly assess the different aspects of an organization, and/or take the word of the group responsible for the asset. Think about it, if I come to you asking probing questions about your security â€“ and you know it is for our compliance initiative â€“ you may be inclined to paint a rosy picture for a variety of reasons. And even if you tell the truth, you may seek to spin in the best possible light.
The result of these and other common whitewashing activities are poor (if any) controls that ultimately mask or lead to higher risk. The end result if that risk is realized could range from penalties to the end of the business (and the way you pay your own bills).
This is something that we have to call and end to today. In my experience, you will be better off (note, I am not a lawyer) if you can demonstrate a well thought out plan and true progress as opposed to smoke and mirrors.
Here are five basic steps you can take to prevent (or stop) whitewashing in your organization and make a difference in your organization:
Take The Time To Understand The Regulations Or Compliance Directives You Need To Follow.
â€œIf you fail to prepare, you prepare to fail.â€
For example, HIPAA has two types of requirements â€“ and there is a specific way you need to deal with each in terms of how you justify and document your actions. Sarbanes-Oxley and FISMA are similar in nature, and actually require proof that the control works as described! You have less chance of success if you donâ€™t completely understand the requirement before you start.
In my efforts, I build a matrix of what is required to allow for easy assessment and tracking through the process.
Understand Your Business
One of the most critical mistakes I see is that groups launch into action before completely understanding their business. The bulk of our solutions are not based entirely on technology, but rather focus on the people and processes. If you donâ€™t understand those critical elements, you are doomed to failure.
Donâ€™t Be Afraid To Ask Questions
I have a simple rule that I follow: if something doesnâ€™t seem right, it probably isnâ€™t. Of course, Iâ€™m not always right â€“ and the quickest way to learn more (to make a more informed decision) is to ask more questions. You donâ€™t (and probably shouldnâ€™t) be confrontational, but by asking probing questions â€“ and truly considering the answers, you will learn enough to know if you are meeting your compliance goals and protecting the organization.
Empower Those Around You To Help
â€œMany hands make light work.â€
In my experience, those responsible for the systems of the organization are truly interested in helping to protect their assets. I have been spending more time helping organizations address personal responsibility â€“ and consistently find that the people I work with are interested in helping, but either donâ€™t know how or feel unwelcome to do so. If you offer to explain, ask for help and empower those around you to take personal responsibility, some of the load is lifted off your shoulders.
Know When And Who To Ask For Outside Assistance
I will make no new friends with this statement, but be careful when seeking outside assistance. I am amazed at the number of compliance â€œsolutionsâ€ and companies that spring up on a monthly basis. Compliance is about thinking, planning and then taking action. I have yet to be â€œwowedâ€ by a compliance solution or new company that can â€œdo it for you.â€
That said, working with qualified auditors to VALIDATE the work you have already done is a solid and necessary step. But choose wisely â€“ and make sure you ask some questions before you get started so you know how your relationship will work. Even the auditors arenâ€™t perfect, and will need your guidance. Donâ€™t lose sight of the fact that you know your business better than everyone else.