Getting your company compliant is a lot like going to the dentist for a crown. No one wants to do it, and everyone puts it off as long as they can stand it. I’ve helped companies achieve compliance for well over a decade, and I’ve heard every excuse under the sun for putting it off. Some excuses were better than others — some were downright entertaining!
How long can you wait before you start achieving compliance at your company? Check out these most common reasons for putting it off and decide for yourself.
We’ll Start on January 1
There seems to be some type of notion that it’s cleaner and easier to set annual cycles by a January-to-December calendar. Therefore, many companies put off their compliance program another quarter or two. It’s more convenient, and it gives you more time to get serious about compliance.
But thousands of other companies are doing the same thing. As a result, there’s a tidal wave of seasonal demand and it can be nearly impossible to schedule an assessment with a quality Assessor. They’re all neck-deep in year-end cycles.
Even your internal resources will probably be unavailable when you need them most, because they’re scrambling to meet their own Q4 goals and deadlines — which are already competing with the holidays.
When you think about it, there’s no real reason to start your compliance calendar on January 1. You could just as legitimately start it on March 12 or August 27. It doesn’t have to be pretty and clean.
Besides that, it’s unlikely that you’ll target your start date correctly anyway. Achieving compliance (which typically depicts your annual renewal date) could take you five months, or 19 months. Since you can’t forecast the start date of your annual compliance calendar, it makes more sense to get started now.
Related reading: Your Cyber Liability Insurance May Not Be Protecting You
We’re Too Busy Right Now
You don’t have the time to divert internal resources to a new project. There’s a big business initiative going on, or a development release that you’re in the midst of. Staffing is too low right now.
But if we’re being honest, there’s never a good time to start a compliance initiative. It’s a monstrous affair that requires personnel from several departments, and it’ll take months (if not years) to cross the finish line. You’ll never have internal resources just sitting around and waiting for a new project to work on. Being busy isn’t a valid excuse for putting off the critical work of protecting your company.
Start eating the elephant. Get things moving in the right direction.
We Need to Get Our House in Order First
There’s a human tendency to avoid embarrassment. No one wants to bring in outsiders to see their rat’s nest of a security program. It’s the same reason people clean up before the housekeeper arrives.
So you decide to put off hiring a compliance consultant until your security and compliance program is in presentable condition. Then you can reach out for help.
Of course, we all know the ridiculousness of this thinking. You may not be able to get your program in presentable condition on your own. The process will take far longer without help combined with limited resources, and your security / compliance situation will continue to sit vulnerable until you get started.
There’s also a fear of executive leadership’s invalid assumptions about personnel’s capabilities. Internal teams are often afraid of getting caught for not doing things and being on top of all the details. They’ve been entrusted with security and compliance, but they aren’t experts, and now they’re afraid of being misaligned with the false expectations of management.
The truth is, security and compliance is an entirely different area of expertise from IT. Begin educating your executives about the differences, and show your value by leading the company toward a more secure position — by finding and hiring the right experts to work with.
We Don’t Have the Budget for It
If you don’t have the money to hire a compliance consultant, you don’t have the money. But your very next budget cycle should prioritize spending on compliance. And in the meantime, you can get started on no-cost or low-cost activities.
- Determine the certifications you need to go up against
- Assess where you currently stand against those certifications and identify the gaps
- Find a compliance management tool
You may not have the budget for a compliance consultant right now, but the TCT Portal compliance management tool is priced very affordably. TCT Portal will help you get organized so you can shorten your compliance engagement — possibly by months. Managing compliance sucks, but TCT Portal makes it suck less.
And if you get TCT Portal in place now, you’ll have laid a solid foundation that your consultant or compliance Assessor can easily build on or evaluate from.
Compliance Can’t Wait Because Attackers Aren’t Waiting
Every single minute that you aren’t moving your security program forward, you’re leaving your gaps and vulnerabilities in place for an even longer period of time. You’re actually increasing the risk to your organization, your vendors, and your customers.
Your organization is at risk. Not potentially at risk, but actually at risk every day. Security and compliance is an area that your company simply needs to prioritize. It’s fundamental to the health and longevity of your company — as fundamental as sales, profit and loss, and product development.
Bad actors are indiscriminately attacking businesses, left and right. They don’t care if you’re a multinational corporation or a mom-and-pop shop. You should expect to be targeted at some point. In today’s security landscape, an attack is a matter of when, not if. And every day that you put off achieving compliance, you’re increasing your risk of a very costly attack.
The time to get started on security and compliance is now. Need help knowing where to start? TCT can help with that. Give us a call today and we’ll talk you through it.
Get equipped with insider expertise
Subscribe to the TCT blog