BOSTON -- Spending too much time and money trying to figure out how your company is affected by a thickening Web of regulations being spun out of the public and private sector? Dreaming of the day when the common points of all these rules will be molded into one simpler doctrine? You're not alone.
"There's so much bureaucratic overlap right now that it's sinking us," Securities and Exchange
Others at the conference agreed. But with all the recent high-profile data hacks and a growing fear of identity theft, everyone expects more regulations instead. And in the current climate, those regulations could come fast and furious.
"We may be one lemonade-stand fraud case away from more regulations," said Mark Everist, auditing director for American Express. "If you're not a financial organization, you may not have dealt with regulations much at this point. But with FTC [Federal Trade Commission] efforts, you may be more affected going forward. It used to be that a law was proposed and there would be a year's worth of feedback. Now Congress, the states and other countries are passing regulations faster. You need to ensure you're keeping up with it all."
So how does one keep up? Most conference attendees agreed it's best to fight for cultural change at the lower levels of the business and buy-in at the top. They noted it's a battle best fought with carrots, that the stick should only be used as a last resort.
And by following something like the FTC Safeguard rule, one compliance expert said your company will already be doing much of what's required under the likes of Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA.
Planting seeds of cultural change
For people to embrace what a compliance officer is trying to do, it's always better to be open and friendly, experts agreed. Try to force change with an iron fist and you'll only sink morale.
"You want to ask for feedback. Don't be a dictator," added Sandy Bacik, CSO for Cary, N.C.-based SpectraSite Communications Inc., a company that builds wireless antennas. "Show gratitude to the staff. Say thank you. That changes the culture. Maybe you want to offer bonuses for completing tasks."
Chris Apgar, an independent consultant and former HIPAA compliance officer for Providence Health Plans, agreed. "You'll effect change slowly. It takes time and cooperation. You can't snap your fingers and just make it happen."
Apgar suggested the best way to get upper management support is by changing the culture in the lower levels first. "If the cultural problem is at the higher level, start changing the culture at the lower level and work your way up," he said. "Build a rapport with people and let them tell their story to upper management."
While everyone agrees on the need for upper management support, conference attendees agreed that support can do more harm than good if the executive takes the wrong approach.
"You can have executive support, but they have to measure their response," said Kimberley Laris, IT controls manager for The Timberland Company in Stratham, N.H. "You have to stress openness. If you are out for that pound of flesh, people won't be honest with you. They'll hold back information."
For compliance officers fighting for the right upper-management support, the key is in how they wield the carrot and stick, said Jeff Crume, executive IT security architect for IBM's Advanced Architecture Support group. "Use the return-on-investment argument as the carrot that helps them see the financial benefits of compliance," he said. "The stick is what you use to say, 'This is what will happen if we don't do this.'"
He added jokingly, "It's been said that the best way to make management understand the need for a sprinkler system is to burn down the building across the street. Use war stories judiciously. Say 'This is what happened elsewhere because A and B didn't happen.'"
Making sense of auditors and common rules
The conference also focused on two vexing questions most compliance officers grapple with: How do you deal with the outside auditors and figure out whether you're bound by Sarbanes-Oxley, Gramm-Leach-Bliley or some other list of regulations?
In a way, dealing with the auditors isn't much different from how you should deal with the in-house workforce, Bacik said: "When an external auditor comes in, you have to build a rapport with them. Wrangle an invite to the auditor-manager meetings." External auditors carry more weight with upper management, so it makes sense to build that relationship, she added.
One thing that might help is keeping in mind that auditors can be as confused about the regulatory soup as you are.
"In our case, the auditors were never clear on what we were supposed to do," said Ashish Dham, senior manager of IT and corporate auditing for the Miami-based Ryder truck rental chain. "They had to go back and check with their offices."
That's not surprising, especially with something as complex as Sarbanes-Oxley, said Ian Poynter, chief of security for Cambridge, Mass.-based security firm Bit9 Inc. But, he said, "That should get easier now. We're seeing more clarity this year. And remember, auditors worry about going to prison, too. They don't always know what they're doing."
As for the question of which regulations affect your company, all agreed there are common requirements at the heart of all the rules -- that electronically stored data be secured, that users only get the network access their jobs call for and that companies keep an audit trail in case something goes wrong.
Marc Zwillinger, chairman of the Information Security and Internet Enforcement Group at Washington D.C.-based law firm Sonnenschein Nath & Rosenthal, noted that the FTC Safeguard rule is the single most important information security regulation passed to date for the private sector. Many of its requirements mirror those found in Sarbanes-Oxley and Gramm-Leach-Bliley.
The rule requires that financial institutions "develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities and the sensitivity of any customer information at issue."
"The FTC rules are easiest to read and audit," he said. "This is what enforcement audits are currently based upon."
He also recommended people check out the House Committee on Government Reform Web site. "It has 30 pages of best practices," Zwillinger said. "The same themes are throughout HIPAA, Sarbanes-Oxley and other regulations."