Treating Compliance as an Ongoing Business ProcessRSA's Sam O'Brien on Why Compliance Should Not be a Point-in-Time Exercise
Compliance should be an ongoing operational business process designed to derive efficiency, scalability and insight, Sam O'Brien, RSA's GRC business lead for Asia-Pacific and Japan.
"The two common compliance challenges are getting compliant as effectively as possible and, most important, staying compliant over time," he says in an interview with Information Security Media Group. "Compliance not just a point-in-time activity - it should be made an operational business process."
In the interview (see edited transcript below), O'Brien discusses:
- Governance, risk management and compliance lessons learned;
- Common GRC challenges and recommendations;
- Challenges in complying with the EU's General Data Protection Regulation.
O'Brien, RSA's governance, risk & compliance business leader for APJ, has over 13 years' experience in a range of GRC domains - including risk management, compliance and information security.
Top GRC Challenges
VARUN HARAN: What are some challenges in GRC today, and why is it so important to align GRC with security in enterprises?
SAM O'BRIEN: Historically, laws like Sarbanes-Oxley have driven organizations to invest a lot into financial and security controls for their technical operations. That conversation continues to evolve.
But there's shifting focus on a couple of very discrete topics that I think are presenting certain challenges - but also some opportunities. Some of these are getting a good view of how the organization views risk - more commonly referred to as risk culture - and making sure that risk management as a discipline is not just embedded and operational within an organization, but more of a strategic asset.
Then again if we look more broadly, we've seen a lot of organzsations focus more on how they engage with their third parties, and more specifically, what risk is introduced by third parties.
Probably the third top priority would be how organizations deal with the changing of regulatory environments. So, if any large corporation has multiple laws, acts or regulations that they need to deal with across multiple regions; that adds quite a burden to some organizations - not just making sure that they're complying with the rules as they are today, but also [as] they change over time (see: How Will GRC Take on Mobility, IoT?).
HARAN: In the current landscape, for a practitioner - whether you are starting afresh or if you are trying to bring your GRC program up to speed - what are some viable goals for an effective GRC program?
O'BRIEN: I guess what we're seeing now is that organizations are looking for a way to make sure that the processes are not just operational but they're delivering value and doing that as efficiently as possible.
Some of the viable goals may be just starting with a clear understanding of the basics and what their risks are. For some, it starts with making sure they're meeting their mandatory compliance requirements. I'd see that as one of the first stepping stones in rolling out the GRC program, and it's something that organizations are already doing today. But the question for organizations that have a very compliance- or control-oriented view of the world becomes about how to bring in efficiency.
Once they're confident that they've got compliance taken care of, then they can start getting a little bit more agile, making sure that as they are making new business decisions, they set those decisions not just in terms of the compliance requirements that they have, but in terms the potential business risks.
HARAN: The GDPR compliance deadline is just now 6 months away in May 2018. What are some of the challenges related to complying with a data protection regime like GDPR?
O'BRIEN: The first is really the awareness - just making sure that the organization has a good grasp of what their obligations are under various privacy acts around the world - and the one that's grabbing most headlines at the moment would be GDPR. Once you've got that awareness, it really comes down to making sure you understand what you need to do to achieve and maintain compliance, making sure that you've got a good view of how you use information and, more specifically, personally identifiable information, within the business - what parts of your business uses that information, how sensitive it is, how long will you be retaining it and, obviously, how it will be protected.
Moving on from that, the next is making sure you are dealing with privacy in processes: How do you make decisions when you launch new products and services, and do you look at that in the context of privacy? Along the way, for something like GDPR, there are several activities that organizations can improve, like privacy impact assessments, to make sure that the context of that private information is accurately known. Also with GDPR, some specific documents need to be created and maintained.
There's also another aspect to it, which is having to make sure that they're prepared for and ready to respond in any event of a data breach. It's not just about knowing how you use information, not just about protecting that information; it's also about how you make sure you respond to issues impacting that information, making sure that they have the readiness for a data breach and stakeholders in the organization know the steps that need to be taken (see: Addressing GDPR Compliance Challenges).
HARAN: At the beginning of our conversation you mentioned Sarbanes-Oxley and other such regimes around the world. In your understanding, what are some lessons we can learn from these previous initiatives that can be applied to the GDPR equation?
O'BRIEN: If I take that question back to the most basic element and look at some of the compliance issues that are rolled out over the years as you suggested, the common takeaways are probably twofold. One is the consideration around how can we get compliance as effectively as possible. And two, which I think is the most important part, is how to stay compliant over time.
Compliance is not just a point-in-time activity; it should be made an operational business process. We've seen a lot of organizations benefit from basic office tools to help run their compliance programs. I know myself, as a former consultant, used some very sophisticated Excel spreadsheets that help organizations keep track of things like their control registers for compliance.
Ultimately however, we see that it is very difficult for such processes to scale, being very manual and very inefficient. It really comes down to a good, automated system of engagement that is as efficient as possible.
The second part of it is how we deliver good business insights, providing as close to real-time information as possible, giving the management and the stakeholders good visibility of those things not once in a quarter, but hopefully more on a day-to-day basis, so that it becomes an operational process and not a point-in-time activity.
If we're talking about a compliance program specifically, some examples might be: How compliant are we today? What percentage of coverage do we have? What are the major milestone activities that we need to complete in the next 30/60/90 days to make sure we're getting prepared for that next assessment or that next audit? And so on.
That is the goal that a lot of organizations should aim for - making their efforts operational and integrated.