SAN FRANCISCO -- Today, more than ever, organizations are stuck in an ongoing compliance cycle, and compliance fatigue is setting in, according to experts who spoke frankly about the problem at RSA Conference 2012.
hasn’t really solved the problem.
The conference session, Compliance Fatigue: How to Stop Chasing Compliance and Move on to Business, addressed how to avoid the problem of being overburdened by the mountains of documents and never-ending tasks associated with compliance. Compliance experts from PricewaterhouseCoopers offered up tips for IT pros and compliance managers to reinvigorate compliance efforts within their organizations.
Compliance fatigue has increased over the past five years, said Michael Dahn, director within the security practice at San Francisco-based PricewaterhouseCoopers, “This is due to the proliferation of info security regulations in the U.S. that has built up since the beginning of this decade,” Dahn said in an interview after the session.
Dahn suggested that people in charge of their company compliance programs measure their effectiveness using the Security Maturity Model. The model, developed by Dahn, rates an organization’s maturity level (including having documented policies and procedures, having executive leadership on the governance team, and having the ability to perform consistent, repeatable events) and an organization’s security level (based on its tactical security implementation.)
Organizations that fall into the lower left quadrant of the model, with low security and low maturity, are most prone to compliance fatigue, Dahn said. (Dahn noted compliance fatigue should not be confused with a dislike for, or dissatisfaction with, compliance.) From his personal observations, Dahn estimates about 25% of all U.S.-based organizations fall into the lower left quadrant, while 15% fall into the upper right quadrant, although he noted the percentages may vary by industry.
Organizations with immature compliance efforts tend to ride the “hamster wheel of compliance” each year, Dahn said. Once a year, the auditor comes around and employees spring to action, and then compliance tasks slide until the next year, when the process is repeated all over again, he said.
So, how can organizations get off the hamster wheel and move to the upper right quadrant in the security maturity model? Dahn recommended organizations make a concerted effort to spread their compliance activities evenly throughout the year. “Reducing scope hasn’t really solved the problem,” Dahn said. “It’s more of a business decision to tie implementation of compliance with the organization’s business objectives.”
Address risk and compliance will be the outcome.
Organizations should also break down compliance silos, Dahn said. “Too often, you’ll see companies with a HIPAA compliance person and a PCI compliance person, etc.,” he said. “Companies should have a compliance manager handling compliance with a top-down approach.”
Dahn said he sees some companies executing a patchwork of compliance efforts. “This leads to redundancy, inefficiency, wasted resources, and ultimately compliance fatigue,” he said. “Instead, try to look at the big picture. Remove redundancies and find efficiencies.” He encouraged companies to take time to document policies and procedures, so compliance tasks are more easily repeatable in future years.
Pieter Penning, also a director in the security practice at PricewaterhouseCoopers, shared his compliance insights with the RSA session attendees. His motto: “Address risk and compliance will be the outcome.”
Penning advised attendees to stop focusing on specific compliance tasks and instead aim for the best security posture they can attain. “The goal is to have a sustainable program,” Penning said. “Work to reduce risk, not to achieve compliance.”