For most companies, tracking and managing your compliance efforts is a monstrous task. It’s like trying to slay a dragon, and you’re likely to get burned in the process. Having the right tools and a streamlined process cut the legs out from under the dragon, but you’ve still got more work to do if you’re going to slay it.
This is the sixth step in our series on taking control of compliance management in 2019. Just now joining the conversation? Check out the rest of the series:
- Survey the landscape of your compliance certification requirements
- Evaluate your vendors and auditors
- Build your budget
- Choose the best compliance tools
- Streamline compliance management
- Recruit your compliance team (this post)
- Train your people
- Automate ongoing compliance tasks
Your people are the most important key to gaining control of your compliance management. No matter how strong your processes or how cool your tools are, it depends on your people to keep your compliance management under control.
If you’re going to slay the compliance dragon, you’ll need to have the right people on your compliance team. A compliance team is a set of key people in your company and trusted vendors, who work together to make compliance run smoothly and effectively. You can’t just clap your compliance administrator on the back and wish them luck.
Your compliance team should meet on a regular basis to review your compliance deliverables. For each element of compliance, you’ll need to confirm that you’ve got the right information and that it’ll pass muster—then pass it through your compliance workflow. TCT Portal makes this really easy by laying out what needs to be done, when, how often, and who needs to review it during compliance management and validation.
Assembling Your Compliance Team
Who do you need on your team, and what qualifications do they need? That’ll depend on several things:
- The certifications you have
- Your particular hosting environment
- The vendors you partner with
Anyone who has compliance responsibilities could be on your compliance team, but at the very least, be sure to consider the following people:
- Compliance officer
- IT director
- C-level executive
- Firewall and system engineers
- Day-by-day IT support
- Software development representative
- Database representative
- Security person
- Vendors with security / compliance responsibilities
- Assessment firm and external consultant, if leveraged
- Legal, as needed
- HR, as needed
The people on your team need expertise, patience and tenacity. They need to be good with coordination and collaboration. Take stock of what you have internally, then figure out what gaps need to be filled.
Someone on the team will be the point person to do all the orchestration, like a type of project manager. This person not only needs to be good with project management, they also need proficient knowledge of compliance and the technical domain. Truthfully, it’s a deceptively complex assignment and an extremely hard role to fill properly. Don’t simply grab one of your project managers to do the job. Compliance is a beast with specific issues, and having the wrong point person typically doesn’t end well.
Get the Right People on Your Compliance Team
Chances are, most of your internal personnel won’t be qualified to support your security and compliance efforts. Your people are terrific at doing what they do, but when it comes to security and compliance, you need someone with expertise in that realm.
The biggest bad assumption that organizations make is that just because someone knows how to take care of IT stuff or manage financial audits, they must be able to do compliance audits. Those internal resources may be very good at what they do, but that doesn’t mean they can do their job in a secure and compliant manner.
I cannot stress this enough—being a specialist in IT doesn’t mean you’re a specialist in security and compliance. You cannot simply assume that your current staff have the knowledge and experience to keep your company secure and compliant. If you do, you’re taking a huge risk with your company’s wellbeing.
For most small to midsize organizations, you’ll need to hire contractor specialists for the following roles:
- Legal counsel
- Technical project management
- Other technical responsibilities, as needed
Legal is one area a lot of companies miss. You may have a lawyer who specializes in employment law or contract law, but it takes a special person in the legal arena who knows cybersecurity and compliance laws. It’s critical that you have someone on your team with that experience, and few corporate lawyers do.
This same lawyer who knows the cybersecurity space also needs to intimately know your specific legal ramifications, should something go horribly awry. They need to know your contracts, your business and the obligations you have to clients. And they need to know what requirements you’re subject to from a myriad of drivers, such as industry standard compliance and regulatory requirements.
Acknowledge Your Limitations
Before we go any further, let’s acknowledge the complex situation you’re in. Your internal resources are experts in their field, and they feel a great deal of pride about that. And for years, your organization may have blindly assumed that your IT team are experts in security and compliance.
That assumption has put them in an awkward position, making it difficult to be completely transparent about their limitations. On top of that, your staff may be afraid that involving external resources will put their jobs at risk.
The best way forward is to see the value in all your internal players, and to communicate that to them. Assure your IT staff that their jobs are secure, and they’re highly valued—AND you’re bringing in someone who has a particular skill to fill a gap. Make it clear that these resources are supplemental partners to your internal staff—they aren’t replacing anyone.
As a CISO, you might be in the same boat as the people below you—you don’t know security and compliance inside and out. You’ve never had to get neck-deep in a security and compliance engagement. And it’s even worse for you, because you’re the one who has to steer the ship.
What we need is a level of compassion and understanding from the very top level—from the executive leadership team, Board of Directors or the CEO. The light bulb needs to turn on at that level, so that everyone can navigate these waters without having to watch over their shoulder. And you should extend that compassion and understanding to the people who report to you. That frees up both you and your people to simply do what needs to be done and bring in the right expertise.
Train Up to Slay That Dragon
Your external security and compliance specialists are there to coordinate with your current internal resources and trusted vendors, as valuable partners in compliance. They WON’T replace your staff. These specialists will have technical expertise, but no context of your organization’s business needs. You still need your existing internal resources, who have both business knowledge and technical skills.
Your partners in security and compliance space are just that: partners. I don’t go into an organization with the goal of supplanting anyone there. I’d rather help them learn and get up to speed. Heck, I got into this business for the express purpose of helping people. Not only can they better serve your company long term, they’ll be far more valuable members of your team as a result.
Your external resources should, from the outset, help evaluate the skill set and capabilities of your internal staff and trusted partners. You want to keep the existing players on your team, but you also want to get them up to speed—and these specialists can give hands-on guidance to your internal people, providing real-world insight into validity, approach and options.
At the end of the day, everyone in your organization should have some amount of security/compliance training. We’ll get into that next time.
Like what you’re reading? Subscribe to the TCT blog and get game-changing content delivered to your inbox each week! Enter your email in the form at the bottom of the page.