Get a Demo

Turf Protection on Compliance Engagements — An Avoidable Reality

,
0

Turf Protection on Compliance Engagements — An Avoidable Reality

Every compliance Consultant has experienced it. I certainly have, and so have each of TCT’s Consultants. In just about every engagement, you’re going to bump into someone who’s feeling territorial about their job.

When someone is protecting their turf, you get resistance in various forms — everything from dragging their feet to constant questioning of your expertise to outright refusals. Sometimes turf protection can be hard to spot — it might look like helpfulness but doesn’t yield any actual help.

Your job as a Consultant gets more difficult and a lot less fun when someone is protecting their turf. But you don’t have to grit your teeth and endure a painful engagement. Use these best practices to smooth out the rough spots and turn opponents into allies.

Related: Keep Client Engagements Under Control with This Proactive Approach

What’s Really Going On?

You can face territorialism from your client’s employees, contractors, or vendors. The biggest turf defenders are usually the IT personnel.

The more important question isn’t Who, but Why? If you understand why you’re facing turf protection, you’ll have a much better chance of defusing it.

Fear of being exposed

IT personnel are used to feeling like the experts in a bewildering domain. They have the answers that no one else has or understands. As a result, they often develop a sense of autonomy and status within the organization, because everybody relies on their domain knowledge.

It doesn’t help that in most cases, the leadership overestimates the IT department’s expertise. Executives hand IT the responsibility of security and compliance, assuming that they must know what they’re doing. Now, IT personnel suddenly have a weight on their shoulders they aren’t equipped to carry. It’s a Catch-22 scenario.

So when a compliance Consultant comes in and starts asking questions and poking around, IT staff are bound to feel threatened. Nobody wants to be told that they’re doing their job wrong. They don’t want to be seen in a bad light, and they don’t want to be outed.

But it isn’t just the IT personnel who can be uncooperative clients. You’re poking around the entire business. How is HR communicating? How are they terminating people? How is Legal reviewing contracts? Is the Sales team collecting all the right paperwork to protect the organization? Is customer data being entered or stored securely?

That’s enough to make any employee feel like they need to protect their turf. It just happens to be more prevalent among the IT folks, because the vast majority of the requirements list falls into the IT arena.

Fear of being replaced

Vendors and contractors often expect a Consultant is there to replace them. It’s a fear that’s too often justified. Some Consultants basically walk into every engagement with the same recipe book. They bolt these policies in and then bolt these vendors in. In many cases, the Consultants have self-sourced those services and essentially supplant the existing vendors with their own.

It’s no wonder that vendors are on high alert. When somebody swoops in to provide directional guidance to their customer, they’re used to having to fend off competition.

These vendors need to learn that they can trust you — that you’re there to help your client and you aren’t going to throw people under the bus.

How to Defuse Turf Protection in a Compliance Engagement

You may be facing an uncooperative client who’s protecting their turf, but you can win them over and make them your ally. Follow these best practices.

Set the tone

One of the first things to do when starting a new engagement is to sit down with the executives. Tell the leadership, “I don’t know what state you’re in, but I’m about to find out. And I don’t know how good your people are, or how much improvement they need to make. But from my past experience, IT people are not security and compliance people. They know how to run an environment, but they’re not security experts.”

Encourage leaders not to browbeat their people or to be angry with them when you find stuff that needs fixing. Instead, a positive environment will help their people to learn through the process, so they can do security and compliance the right way.

Next, talk with the employees and contractors. Make it clear that your job is not to come in and run somebody’s day-by-day operations. You aren’t there to step on toes.

Also meet with the vendors. Be transparent about your approach. Assure them that you aren’t after their business and have no intentions of replacing them with your favorite vendors.

They may not buy it at first, but usually, over time, most internal personnel and vendors learn to trust you — and the process.

Watch for trouble

Be prepared: in some cases, the bond between the clients and the vendor is so strong that a territorial vendor may actually derail your security and compliance efforts for a period of time. The client believes that those vendors are helping, but the vendors are really just trying to stall the process because they don’t trust you yet.

Use your soft skills

Empathy goes a long way when you’re encountering resistance. Seek to understand why people are defending their turf.

  • Are they facing pressure from above?
  • Have you communicated your purpose clearly enough?
  • Are you coming across in some way that makes it hard to get them on board?
  • Are they undersupported by executives?
  • Is their job legitimately at risk for some reason?

Take time to see things from their perspective. It might take some honest one-on-one conversations — if so, demonstrate a willingness to listen, empathize, and work with them so that everyone can get a win.

Develop a thick skin

The flip side of being empathetic is having a thick skin. You can’t take it personally when you encounter territorialism. People are going to get worked up, and some people are just going to be pissed, no matter what you do.

At a certain point, as a Consultant, you have to remember that your obligation is not to the client’s employees or to their vendors. At the end of the day, your job is to get the task done for the organization and to do what’s right for the client.

Escalate when you need to

Do your best to give everybody a shot to get on board with the program. At the same time, you can’t control how people will respond. In some cases, you will hit a point where you need to escalate matters.

Know ahead of time how you’ll escalate an issue if you’ve got an uncooperative client. Present the escalation plan on Day One so that everyone knows what’s expected from the start. It isn’t fun to escalate to people’s bosses. But if you don’t establish expectations from Day One, then people get incensed when you do go to their boss.

Related: Keep Your Compliance Team Accountable Without Really Trying

There’s Light at the End of the Tunnel — And It Isn’t an Oncoming Train

Dealing with territorialism isn’t a one-size-fits-all approach. In one case you can sit down and have a conversation with the person directly. In some cases, you need to go up a level to their manager to get things heading in the right direction. Sometimes, you need to use softer skills — other times, you have to be hard-nosed.

Those are skills learned over time, based on circumstance and experience.

One of the most rewarding feelings as a compliance Consultant is getting an uncooperative client to the point where they’ve been declared compliant. Looking back, they realize that you were on their team the whole time. And now you can be proud of how far they’ve come.

Your client has expanded their capability and knowledge, and they have a true security and compliance program in place. It’s a tremendously rewarding feeling to successfully navigate those waters and move into Operational Compliance.

TCT proves compliance doesn't have to suck.

Check out the TCT podcast:

Listen Now
KEEP READING...

You may also like

Headshot of Adam Goslin for the Compliance Unfiltered podcast
December 5, 2023

[Podcast] Should Organizations Hire Fractional Security and/or Compliance Consultants?

young businessman cupping his ear to listen | pci 4.0 what we’ve learned
September 29, 2022

6 Months After PCI 4.0: What QSAs Are Saying and What We’ve Learned

chain with a weak link | companies need security attention everywhere
September 23, 2022

Why Companies Need Security Attention Everywhere