tutorials, visit SearchSecurity.com's Security School page.
All risk systems are built around the idea of perpetual improvement, including compliance programs.
It takes a remarkably mature organization (and management team) to realize that if it isn't using that data and learning everything that you possibly can from mistakes, it isn't really managing risk; it's only managing events.
Enterprises build and manage programs that, if all goes right, ensure they are in full compliance with policies, procedures, laws, regulations, etc. But, compliance managers realize that, on occasion, things will not go as planned, despite their best intentions. In mature organizations, the circumstances about what went wrong and why provide fertile ground for opportunities for improvement in these programs.
In order to learn from unexpected events, companies have to be able to discuss them openly and honestly with a focus on the key question: "Why did something happen?" and "What are we going to do about it?" This conversation is awkward enough with routine process failures, where perhaps some money was lost or some customers were inconvenienced. When the issue involves data security, the tension level tends to go up exponentially.
Data security is slightly different than most other operational risks in that security and compliance teams are trying to manage to a "zero event" (in other words, a data breach isn't an acceptable result and just can’t happen). Intellectually we know it’s possible, but when it does there’s a tendency to want to clean it up and move on as quickly as humanly possible. But the same rules apply as in all other operational failures; if compliance program participants don’t learn from their mistakes, the program never gets better. There is no greater indictment of an organization’s risk management and compliance program than if the same event happens twice.
Frankly, in too many organizations, failures are quieted to avoid embarrassment, responsibility or liability. It takes a remarkably mature organization (and management team) to realize that if it isn't using that data and learning everything that you possibly can from mistakes, it isn't really managing risk; it's only managing events.
a compliance culture: The practicalities of learning
Once an unwanted event has been identified, there are four key questions the compliance team must initially answer to first get back to a stable state.
- What happened? This requires an impartial analysis of what exactly went wrong.
- What does it mean? Next comes an analysis of the potential effect to the organization in terms of financial, operational, reputation and regulatory exposure. This may be estimated early on and then fine-tuned as more information becomes available.
- Is it still happening? Is the proverbial roof still leaking? If so, what needs to be done right now to fix the problem(s)?
- What must be done to make it right? What recovery steps need to take place to address customer data exposure, informing regulators, managing media inquiries, etc.?
Everything to this point should be straightforward; the process is basically focused on incident response and damage control, but so far none of these steps teach anything about why the event in question took place and how it informs the organization's risk profile. Once the event is remediated and completed, then the real valuable work can begin (and, unfortunately, where some organizations shut it down).
Building a compliance culture: Going the extra mile
Once the problem is resolved, then the questions are:
- Was the failure related to a control that:
- Was missing? It simply didn’t exist.
- Was insufficient? The risk or its effect was underestimated or misunderstood.
- Was unnecessary? The loss was expected to be less than the cost of a suitable control.
- Failed? The control was designed correctly, but simply wasn’t followed.
- Were the mechanisms in place for recognizing and responding to the event sufficient?
- Given the new information about the event, the effect and recovery effort required, how does this influence the organization's understanding of its risk and related controls? Does the new understanding of the risk profile have implications on specific compliance requirements?
- Then, the million-dollar question: Is there anything we need to change?
After figuring out what (if anything) needs to be changed as a result of this analysis, do it! Nothing will kill people’s respect for the analytic process more than if after going through all of that work nobody takes the ball and runs with it (regardless of the reasoning or institutional barriers).
Another critical element for the long term is to document, document, document. Without documentation the organization will never fully capture the institutional learning that comes from these analyses. Any organization that experiences a failure more than once needs to seriously look at its ability to document events and truly learn from them.
Finally, by removing the blame element from the larger analysis, the organization is free to take a careful look at the controls in place and honestly assess whether they are sufficient going forward. However (and this is important), if it was in fact a specific individual that caused the failure, that person should be the first to have the opportunity to weigh in on what improvements can or should be made; this is how an organization creates accountability.
Some managers may be initially reluctant to perform this type of analysis with too broad of an audience, which is fine. Involve the key people necessary to perform a sufficient analysis, document the findings and make suitable operational changes. Over time, people will find the exercise is both productive and strengthening to the risk and compliance program.
About the author:
Eric Holmquist is president of Holmquist Advisory, LLC, which provides consulting to the financial services industry in the areas of enterprise risk management, operations, information technology, information security, vendor management and business continuity planning. Holmquist has 30 years of experience in the financial services industry and is a frequent author and speaker on various risk management topics.
This was first published in December 2011