Compliance costs money and because it is often perceived as a nuisance by most, it is rarely pursued unless there are serious penalties associated with it and random audits are conducted to ensure and enforce it.
by Pierluigi Stella, Chief Technology Officer of Network Box USA
Recently, I was asked the question of whether organizations are in a good state with respect to compliance in general. If I felt that what they’re currently doing is on the mark. And not, why.
My immediate response was ~ not really.
Compliance costs money and because it is often perceived as a nuisance by most, it is rarely pursued unless there are serious penalties associated with it and random audits are conducted to ensure and enforce it. I deal with organizations across many different fields but especially with small F.I.s, and I can state with certainty that if it weren’t for the auditors who “pester” then continuously, most (if not all) of them wouldn’t even know where to begin, let alone pursue compliance. There are those who understand the reasons for compliance, but for the most part it is viewed as a ‘cost of doing business’, a nuisance, an ‘issue’.
On that note, I feel it imperative at this juncture to identify some key compliance issues facing organizations today.
One in particular that jumps to my attention is the complete misconception and misunderstanding that you can “be compliant”. No one can ever ‘be compliant’ simply because that expression has no meaning.
Compliance is a business process, something which needs to occur as a ongoing, seamless process throughout the company. We can draw an obvious parallel with security and say it’s impossible to be 100% secure because security is not a mere instant, but a process. And an ongoing one at that, comprised of behavior, understanding, practice, procedures, _and_ technology.
Technology cannot make you secure, it augments in the process. As is the case with compliance. Technology doesn’t make you compliant; having done your self assessment for PCI doesn’t make you secure nor compliant; it only helps you in the journey towards compliance.
We need to view this as something dynamic, ever changing, and which needs to be pursued with technology, processes, procedures, education, behavior, every day, in every action the company takes. And THAT is compliance. Unfortunately, because ours is a culture of pills and quick fixes, we tend to think of it as more of “get me a firewall so I can be compliant” than what it actually is, and _that_ is the biggest issue.
Of course, we can also make the case that for smaller organizations, a lack of resources complicates the picture. Pursuing compliance can be a time consuming and costly exercise, and not all organizations can afford to have a compliance officer entirely dedicated to it. In most of the organizations I see, the compliance officer ends up being also the security officer and, in F.I.s, this same person may very well be the Cashier or some other level of SVP. Either way, it’s often a person who has little knowledge of the issues at hand.
Enter the million dollar question ~ are larger enterprises well positioned for compliance-related success as they have the financial means to engage specialized personnel to manage this aspect of the business? Or, conversely, is the smaller player better equipped simply because, typically, they have fewer regulations to deal with from the get go? In any event, I’m often asked if there are indeed any true differences between the various levels of compliance required of small versus large organizations.
For the most part, on a daily basis, I deal with small organizations which have that ‘issue’, and very little with large organizations. Generally speaking, resources are the main problem; but then again, in small organizations, resources are always a problem. The answer to that question depends on how you define success and what “level of success” means.
If success means passing an audit, then small organizations are as likely as large ones (if not better positioned) to succeed, simply because, given their size, regulations are often simplified and some don’t even apply. But if success means ensuring that you actually achieve the objectives of compliance, then it’s a different story altogether.
In such situations, unfortunately, smaller organizations seem to be more likely to view compliance as a nuisance, to try and simply “stay compliant” without even attempting to understand the implications and the reasons why compliance rules were put in place in the first place. On the other hand, larger organizations, with the money to hire specialized personnel, will likely understand the underlying reasons for compliance and pursue those reasons as a means to compliance, thus achieving better results as a business in the process. If you understand the reasons why compliance rules are written the way they are, your entire business process will benefit from pursuing compliance, and compliance is no longer viewed as a nuisance but a (pertinent) strong business guidance.
Are there specific vertical markets which perform better than others, you ask? Definitely.
The F.I.s have been at the forefront of this for a long time. They are the most regulated industry I’ve come across. Lately, HIPAA and HITECH are fashionable terms, so we tend to think the healthcare industry is the most regulated when in truth, this industry is but only now catching up with the need for regulations and compliance.
F.I.s, however, have been regulated for as long as I can remember; and they get audited routinely. A small bank with less than $1Bn in assets receives at least 1 audit a year. If the asset size is greater than $1Bn, then they get 2 audits per year. With such constant deep scrutiny, F.I.s HAVE to do better ~ penalties range from fines to closing the business, and jail time for the C levels is also possible. It isn’t a game to be played lightly.
On the other hand, HIPAA, as the street lingo coins it, has no teeth.
Why? Because it was never meant to. HIPAA stands for health information portability and accountability act. P stands for portability and the word privacy is nowhere in sight. Hence, this is not, in either shape or form, a compliance law.
That said, HITECH is. And it took until 2006 for the health care industry to have such regulation; and it has taken right up to 2012 for authorities to start doing something about it. In 2012, we’ve seen many breaches of information and security in health care, numerous fines, and some serious consequences for some organizations. In 2013, we’re seeing a race to catching up with compliance mandates. Companies in the HITECH compliance business are making money hands down because, finally, the healthcare industry is in a rush to catch up.
The obvious conclusion we can draw from this would appear to be that compliance works only when there are consequences attached to it. I see restaurants rushing to PCI compliance because AMEX has fined them $50,000 and they finally realize that PCI would have cost them half that.
Health Care companies are rushing to compliance because their peers have been hit hard by fines. F.I.s make compliance part of their business processes because they have had to do it for so long that it has now become standard practice, a normal part of their way of doing business (or of their cost of doing business, if you will). And this is the way to compliance; in this, F.I.s clearly lead the way.
Now, to the nitty gritty. What can organizations do to improve their chances of achieving optimal compliance?
The best and most effective way to compliance is to make it a part of your business processes, and, as mentioned earlier, in this, F.I.s are the obvious leaders of the pack.
Stop thinking of compliance as something extra you need to do because someone told you to do so.
Start thinking of it as a way to do business, integrate it entirely within your business practices, in every act, in every paper, in every process and procedure. Think “compliance” every time you try to design a new process, every time you start a new project, every time you buy a desk or a computer (OSHA anyone?), every time you create a new database, every time you hire a new employee.
This will allow the organization to not only be as compliant as the organization could possibly be, but also to remain in a state of compliance for the long term.
It’s never too late to start.