How to Survive Your First Compliance Engagement

If your organization is becoming compliant with a security standard for the first time, you need to know what you’re getting into. Your first compliance engagement isn’t just a massive undertaking from a process perspective — it will take its toll emotionally as well.

If I’m being completely honest, most compliance managers (and their teams) go through hell, emotionally, when they embark on their first compliance engagement. It will be a tougher experience than you anticipate, and it will be a much, much longer one as well.

Most of the personnel involved in compliance end up burned out by the end of their first engagement. I know I was on my first trip to the compliance rodeo.

But if you know what you’re getting into, you can prepare for it and prevent a lot of the emotional turmoil that many other compliance managers deal with. This article will help you to prepare for the emotional journey of your first compliance engagement.

Don’t Sweat It! How to Master Your First Compliance Certification Project

But first, we need to understand the most typical emotional journey compliance personnel go through when they need to become compliant for the first time.

The Emotional Journey of a First-time Compliance Engagement

In the beginning stages of your compliance engagement, the compliance team often feels a sense of urgency. The top levels of the organization have tasked you with the project and they want it done quickly. Your adrenaline spikes as you get ready to take on a big project.

That urgency quickly transforms into low-level stress when you begin to realize the volume of work ahead of you. Your already full plate has just gotten fuller, and this project won’t be as simple as you’d initially hoped. As you see how much you don’t know about compliance and how much will be required of you, that low level stress becomes full-on anxiety. Your executives are expecting this to be wrapped up according to a timeline that was formed early on, and you’re realizing now that it’s not going to happen.

Often, the leadership of the organization mistakenly believes that your IT personnel are naturally equipped to lead a security and compliance engagement, simply because they’re smart technical people. Those kinds of unfair expectations put you in a position where you’re now forced to figure everything out on your own. 

The pressure is on, and you’re the de facto point person for your entire organization.

Before you know it, you and your team are putting in tons of overtime, just trying to wrap your arms around the basic concepts of compliance. It’s been weeks and weeks, and you’re no closer to the finish line than when you started. It’s not unusual to work your way toward 90+ hours each week, and your team is feeling mentally and physically exhausted.

At this point it’s clear that you need external help, but you’re already in over your head. Your hopes of an expedient weeks-long project seem like a distant memory and now you’re expecting it to be a months- to a year-long engagement (you may still be underestimating).

Eventually, you and your team are perpetually depleted and dreading every day of work. Frustration is continuously building. You aren’t sleeping and you’re always working. Even when you aren’t working, the compliance engagement dominates your thoughts. There is no escape.

The Fallout of Compliance

I know many individuals who came to their breaking point during their first compliance engagement. I’ve seen grown men in tears. Others lashed out in frustration at the slightest trigger. Some developed health issues or anxiety attacks. Entire teams have imploded during the compliance process. 

It’s no wonder that the turnover rate is so high for compliance managers.

Take a step back and you can see that the situation isn’t anybody’s fault. You couldn’t have known going into your engagement how complicated it would actually be. Your boss just wants the work to get done and to move on. It isn’t your vendors’ fault. It isn’t your team’s fault. And it isn’t your fault. It’s just the nature of the beast.

But it doesn’t have to be. You can become compliant and maintain your sanity — and even thrive. Follow these critical practices that help you and your team to protect your physical, mental, and emotional health during your first compliance engagement.

Leverage a Compliance Consultant

The single most important thing you can do is to hire a compliance Consultant right away. I know that I wish I had access to a compliance Consultant on my first engagement. These experts know and breathe cybersecurity and compliance. They’ve been around the block several times and they know what pitfalls are waiting for you down the road.

A great Consultant will clarify your compliance requirements, know what to expect from an Assessor, and help you to establish an efficient process that gets results. They’re also great listeners who can talk you off the ledge when the engagement becomes overwhelming. They also have a lot of experience with different approaches and solutions to meet compliance requirements effectively. The compliance Consultant will make a huge difference in terms of your sanity on the journey.

Companies that make good use of compliance Consultants have more success and far less emotional distress than other organizations.

Scope Your Engagement

Teams are much more resilient when they know ahead of time what to expect — how much work is actually involved, how long it will take, what kinds of help they need. 

The number one best thing you can do for yourself and your team is to thoroughly research exactly what it takes to get certified under your specific security standard. Find out what’s involved, what resources and tools you need, how long to expect the engagement to take, and what kinds of additional third-party experts to bring in (in addition to the compliance Consultant).

The more prepared you are for the engagement, the better you and your team will survive it.

Equip Your Team for Compliance Success

Practice Bold Communication

Practice early and open communication to your organization’s leadership. Establish a pipeline where these people can be your greatest assets in resolving issues that will arise throughout your journey. You need the leadership team to clearly understand what is happening throughout the engagement, what you’re going through, and get prompt updates as new challenges are discovered.

Be more open, more direct, more blunt than you’ve ever been about the skills required to navigate these waters. Don’t allow executive management to operate under any false assumptions, of any kind. If your team lacks certain skills or knowledge, don’t try to minimize that fact. If you don’t have the resources you need, make it blatantly clear that you can’t continue without them.

Do whatever it takes to give them a crystal clear understanding of the enormous demands inherent in a compliance engagement — and the depth of specialized expertise that’s needed to address them.

Establish Ground Rules

Get on the same page with your team, right from the start. Establish your rules of engagement before you do anything else. For example:

• How will you operate as a team?
• How will you communicate?
• How often will you meet?
• How will you submit evidence?
• How will you use your compliance management system?
• Where will you put written explanations?
• Where will you attach evidence and files?
• What happens when you’re done with each task? With everything?

These agreements will help you to keep moving forward productively when the engagement becomes chaotic and confusing (it is a matter of time). 

Plan Your Dedicated Time Allotment

Clear as much of your schedule as possible and dedicate no less than 50 percent of your time to nothing but compliance management. From the very first day, you’ll need at least 20 uninterrupted hours per week for this effort — and even then, you should expect to put in overtime. 

As the engagement progresses, you may need to ramp up that dedicated effort to 75 percent, and eventually 100 percent near the end of your annual engagement.

Do thorough pre-planning. Take a realistic stab at who will need to be involved in the engagement and how much time will be demanded of them. When will each person be brought onto the effort, and for how long? 

Coordinate scheduling with each team member and their supervisors. Plan around paid time off and other projects these people may be committed to. Be prepared to clearly raise availability issues to leadership as they arise.

How Proactive Planning Reduces Compliance Stress: A Step-by-Step Guide

Care for Your Team

Take care of your team. Encourage them to take time off and get a break. Have an open door policy and make yourself available for them to unload when they’re maxed out on stress. Reward them whenever you can, even if it’s with simple things like fresh donuts or a spontaneous team lunch out. Plan early with management to have that budget so it’s available when the crescendo of the compliance engagement reaches fever pitch. 

Watch for signs that individuals need an extra dose of encouragement or some time to take care of themselves. They may be an invaluable part of your compliance engagement, but they’ll be ineffective if they burn themselves out or decide the hell of compliance isn’t worth it and leave the organization (I’ve seen this happen several times).

Use the Right Compliance Tools

Make sure you’re leveraging a compliance management system. A good compliance solution will automate a myriad of elements of the engagement that are complete wastes of time. Nagging, reminders, status updates, collecting evidence, organizing the evidence, pushing it up through the workflow — all of that and more can be automated for you. That frees you up to focus on the high value activities and streamline the engagement for a more efficient experience. 

Phoenix Financial knows the difference a tool like TCT Portal can make. Their compliance team was getting crushed by the weight of their compliance engagement, and the demands were overwhelming. “During that time I was leaving the house at 9 am and getting home at 1 or 2 in the morning, five to six days a week,” CIO Jamie Hefty said. “It went on for about 60 days.”

TCT Portal helped them streamline their engagement and get their efforts under control. The work became lighter and they quickly gained traction.

Check out the Phoenix Financial case study.

Many organizations spend 18 months or more in the trenches of their first compliance engagement. But with TCT Portal, you can reduce that time by as much as 65 percent. Imagine reducing the length of your compliance engagement by 6-12 months. 

Make sure you make it clear to the people on your team that they need to pay attention to their status alerts and notifications from the system. This is a team effort, and it takes everyone’s investment to pull it off successfully. The correct compliance management tool will pay for itself many times over in your first compliance run and become even more valuable of a tool in the coming years.

Gain Compliance and Keep Your Sanity

First-time compliance engagements don’t have to be emotionally grueling. With the right preparation, resources, solutions and tools, your team can not only pull it off in a reasonable time frame, but you can protect your mental and emotional health as well.

Don’t just assume everything will be fine. Proactively set yourself up for success. Need help with your prep work for your first compliance engagement? Talk to us — we can help you figure out what you need to succeed. We got into this space to help people make managing compliance suck less.