We seem to live in a world dominated by metrics and statistics. I even fall prey to it from time to time. We all want to claim that we have the most, gained the most, stopped the most or otherwise done something that we can defend with the use of numbers! It’s no different when it comes to compliance.

It’s no secret that I spend a lot of time helping companies address compliance and privacy through risk assessments, policies and developing effective risk management programs. We have had some Security Catalyst podcast episodes that have addressed some of these areas, and we will have more in the future.

The concern I see now is what I call the “whitewashing of compliance” – when a company simply “goes through the motions” to claim they have achieved compliance, when they really have done little, if anything, to truly improve their security posture. Not all whitewashing is intentional – some is the result of too much to cover in too little time combined with the need to show results.

I’ve also started to see a trend where the people responsible for assessing compliance are not fully comfortable with the requirements, and therefore unable to properly assess the different aspects of an organization, and/or take the word of the group responsible for the asset. Think about it, if I come to you asking probing questions about your security – and you know it is for our compliance initiative – you may be inclined to paint a rosy picture for a variety of reasons. And even if you tell the truth, you may seek to spin in the best possible light.

The result of these and other common whitewashing activities are poor (if any) controls that ultimately mask or lead to higher risk. The end result if that risk is realized could range from penalties to the end of the business (and the way you pay your own bills).

This is something that we have to call and end to today. In my experience, you will be better off (note, I am not a lawyer) if you can demonstrate a well thought out plan and true progress as opposed to smoke and mirrors.

Here are five basic steps you can take to prevent (or stop) whitewashing in your organization and make a difference in your organization:

Take The Time To Understand The Regulations Or Compliance Directives You Need To Follow.
“If you fail to prepare, you prepare to fail.”

For example, HIPAA has two types of requirements – and there is a specific way you need to deal with each in terms of how you justify and document your actions. Sarbanes-Oxley and FISMA are similar in nature, and actually require proof that the control works as described! You have less chance of success if you don’t completely understand the requirement before you start.

In my efforts, I build a matrix of what is required to allow for easy assessment and tracking through the process.

Understand Your Business
One of the most critical mistakes I see is that groups launch into action before completely understanding their business. The bulk of our solutions are not based entirely on technology, but rather focus on the people and processes. If you don’t understand those critical elements, you are doomed to failure.

Don’t Be Afraid To Ask Questions
I have a simple rule that I follow: if something doesn’t seem right, it probably isn’t. Of course, I’m not always right – and the quickest way to learn more (to make a more informed decision) is to ask more questions. You don’t (and probably shouldn’t) be confrontational, but by asking probing questions – and truly considering the answers, you will learn enough to know if you are meeting your compliance goals and protecting the organization.

Empower Those Around You To Help
“Many hands make light work.”

In my experience, those responsible for the systems of the organization are truly interested in helping to protect their assets. I have been spending more time helping organizations address personal responsibility – and consistently find that the people I work with are interested in helping, but either don’t know how or feel unwelcome to do so. If you offer to explain, ask for help and empower those around you to take personal responsibility, some of the load is lifted off your shoulders.

Know When And Who To Ask For Outside Assistance
I will make no new friends with this statement, but be careful when seeking outside assistance. I am amazed at the number of compliance “solutions” and companies that spring up on a monthly basis. Compliance is about thinking, planning and then taking action. I have yet to be “wowed” by a compliance solution or new company that can “do it for you.”

That said, working with qualified auditors to VALIDATE the work you have already done is a solid and necessary step. But choose wisely – and make sure you ask some questions before you get started so you know how your relationship will work. Even the auditors aren’t perfect, and will need your guidance. Don’t lose sight of the fact that you know your business better than everyone else.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.