So your boss just dropped the news that you’ve been chosen to coordinate getting your organization compliant against some standard you know nothing about? Been there.
We’ve written articles to help you figure out how to become compliant for the first time, and how to prepare for your first assessment. You’ll also need to be prepared to face resistance from various groups within your organization.
Let’s take a look at the kinds of resistance you’re likely to encounter within your organization, and how you can stay one step ahead of it.
Related reading: What No One Tells You About Achieving Compliance for the First Time
Internal Resistance to Your Security and Compliance Program
Fear of change
You’re going to face resistance, simply because you’re an agent of change. People naturally resist change, and they justify it by saying that it’s going to disrupt the business. Usually, they don’t have any idea what they’re talking about. It’s just a vague fear that change is going to make things worse.
I can’t tell you how many times I’ve heard the notion that security and compliance are going to negatively impact business operations. It won’t be long before you hear some version of this complaint: “Our operations can’t afford to take on the ridiculous burden of all of this security and compliance nonsense. It’s going to grind our business to a halt and impede our progress.”
Fortunately, after you’ve gone through your first round of compliance, people often realize that it wasn’t nearly as bad as they had feared.
A security and compliance program isn’t cheap. Implementing controls across your environment takes time and compliance management requires allocation of internal resources. You’ll need to hire specialists and vendors, and purchase software platforms.
It’s not unusual to bump up against resistance from executives — and specifically those who hold the purse strings. Your CFO may experience some sticker shock when they realize that security and compliance is far from a cost-free venture.
Expect your executives to ask questions. They’ll want to have justification for your purchases, and they may be resistant to allocating budget requests. Be prepared: they may send you back for cheaper alternatives as another option.
Last year, your leadership team established goals and objectives for this year and for each quarter. But a major sales opportunity came up early in Q1 and landing the client depended on being compliant with PCI DSS or some other standard.
Suddenly your organization made the commitment to becoming compliant. But the effort requires resources and budgeting that were dedicated to other priorities for the quarterly goals.
Most organizations will substantially underestimate the time, costs, and effort to run a security and compliance program. That puts you in competition with other areas of the company, which creates friction and slows everyone down. You may find yourself continually butting heads with department leaders who feel like you’re stealing their people, budget, or other resources.
Dread of procedures
Very few people love processes and procedures. Fewer still love creating them and maintaining them. But security and compliance programs require your organization to create and manage numerous procedures.
Don’t be surprised when you get pushback and resistance from internal personnel when it comes to developing procedures or other types of drudgery.
Let’s face it — compliance management sucks. So don’t be surprised when you find people on your team dragging their feet to complete their tasks.
After months of working weekends, putting in overtime, and pushing through tight deadlines, people will find it a struggle to keep motivated. And if executive buy-in is low, the people in the trenches are going to ask themselves, “If the execs don’t give a crap about this stuff, why in the hell should I care?”
Featured Case study
Phoenix Financial Services Navigates Compliance Chaos
Learn how TCT removed Phoenix Financial's overwhelming challenges of becoming PCI compliant.
Top Tips for Reducing Resistance to Compliance
You can reduce much of the resistance to your compliance efforts. Get proactive and address issues before they come up. This is one of the first things you should do, even before you ramp up your compliance activities.
Lay the groundwork
Start by laying the groundwork with the executives. Set their expectations about time, costs, and internal resource needs. Get a commitment from them to support your efforts and to be your number one promoter. Executive leadership sets the tone for the rest of the company — if your leaders are fully on board, everyone else will fall in line as well.
Also talk with your leadership team about how a compliance engagement could interfere with other priorities that had already been set. Give them a realistic expectation of timelines. Work with them to adjust internal expectations regarding deliverables — including reallocation of resources as needed.
Next, lay the groundwork with department managers. Prepare them for what lies ahead and assure them that you’re all in this together.
Listen to their questions and hear their objections, without defensiveness. Acknowledge their frustrations and fears, and do what you can to alleviate their concerns. Show a commitment to working with them through the process and doing what you can to make the burden as light as possible. At the same time, it’s not going to magically happen with a twitch of the nose like in an episode of “Bewitched”.
Explain to staff throughout the organization how the compliance engagement will affect them, and the roles they need to play. Rollout is a whole lot easier when you’ve got everybody prepared to head down that path.
Communicate — and over-communicate
You’ll get a lot more buy-in, and a lot more responsiveness, when you communicate regularly with your leadership team and members of your compliance team. Keep executives in the loop about your progress and your roadblocks. Ask them for the support you need and make sure they are in the loop. Address their concerns about timing and spending.
Likewise, you need to be a great communicator with your compliance team members. Make sure they know what evidence is coming due, when it’s due, and how to do it. Stay on top of your project status and hold frequent meetings to touch base and solve issues.
Address the morale of the people on the front lines. You don’t need to be a cheerleader, but you should show genuine appreciation. Recognize their hard work and achievements in tangible ways.
Some ideas include:
- Verbal acknowledgments and thank-yous after a major sprint of work
- Public recognition from executives
- Take the team out to lunch or order special breakfasts
- Give an extra day off after a working weekend or major overtime push
- Throw a compliance party after the assessment
The compliance party is a big deal. It is tremendously important to recognize what your team did to get to the finish line. The leadership of the organization won’t truly understand what your people went through, but I can’t overstate the significance of an appropriate reward for their heroic efforts.
Share a vision
Your compliance team needs to have a vision for the work they’re doing. Get them on-mission and communicate the critical importance of security and compliance. Also prepare them for the hard work ahead.
When setting expectations for your team, give them a long term view. The first year that you go through compliance, it will be painful. The second year, it will get better. By the third year, you should have things close to humming along and compliance management will be a straightforward effort. By year four, it’s mostly rinse and repeat.
I encourage organizations each year to look back. Review where you were when you started, and how far you’ve come — as well as the various benefits that that’s had for the company. When your team can see real impact and improvement, it can be a strong motivator to dig in and do the tough work.
Build a Successful Culture of Compliance
When you’re just getting started on your security and compliance program, the win is navigating through a year without a lot of internal resistance. When you get to that point, you’ve successfully achieved a culture of compliance that directly supports the organization’s compliance efforts.
Nobody’s going to jump out of their seat over compliance, but you can aim for the lofty goal of mitigating the bitching about it. Oftentimes, it’s at that third year mark when organizations look back and realize just how far they’ve come. That’s when compliance management seems to become ingrained in a company’s culture and people truly embrace it.
Your first year may be rough, but these best practices can make it a lot easier to move your organization through compliance. Remember, it’s a marathon and not a sprint. Give yourself and your team time to build a security and compliance program that rocks.