Every fast-growing company reaches a point where its customers demand proof of integrity, ethical behavior and a promise that their data is treated securely. At this point getting technical compliance certifications are a must but keeping compliant every year as the business and its services grow becomes really challenging for the compliance team alone. Without the buy-in from management and ongoing collaboration within different departments such as HR, IT, Engineering the risk of noncompliance dramatically increases and so does the cost of keeping compliance. With a little investment of time and attention, a culture of compliance can go a long way to reduce compliance risks and improve the long term compliance health of an organization
What is Culture of Compliance?
A culture where not only the Infosec and compliance teams but also all team members feel equally responsible and empowered to take steps to adhere to various compliance goals. Here are 5 steps you can take to foster a culture of compliance, more specifically the culture of IT compliance
- Appoint an executive champion
- Layout a plan for communications
- Ensure proper training
- Design incentives and awards for success
- Deploy proper tools and technologies
1. Appoint an executive champion
In most organizations, compliance is not on any one’s priority list when compared to increase sales or rolling out new offerings. The messaging and importance of compliance has to flow from top-down. A champion amongst the executives could be a very effective way of shoring up the support of various departments and also securing those valuable resources in times of Audit. An executive sponsor can lay down the groundwork for communicating the importance of treating customer’s data securely and with integrity and how secure practices tie into the overall profitability of the organization. A strong message of general security awareness and the importance of policy and procedures surrounding it can be a good starting point for Compliance and Infosec teams to build upon.
2. Layout a plan for communications
Although the overall responsibility of IT compliance lies with the compliance, infosec or the IT team (depending upon the size of your organization), participation from various other teams such as HR, Product, Recruitment, Engineering is essential for success. Creating a periodic and timely communication plan for all stakeholders helps in re-iterating their responsibility and how their participation is crucial for the organization’s success. A well laid out plan and effective implementation prevent missing evidence, surprises in resource requests and highly risky compliance gaps and costs.
3. Ensure proper training
Laying down a proper training plan can help in building a culture of information, confidence and a general belief in the objectives of the compliance program. An IT compliance training program which is structured in the following 3 layers can help in establishing an ongoing information campaign.
Management’s assertion on the importance and value
Someone from the senior management team should present prepared statements about the value of security and compliance in the organization and the risks it mitigates for their customers
IT Security awareness
This should be the nuts and bolts of the policies, procedures, and controls in place to effectively mitigate risk and ensure security and privacy of customer data. All employees should completely understand what is expected of them and risks and rewards associated with it. Requiring an acknowledgment of receipt of this training helps employees understand the importance of the program
Roles and responsibilities training
This could be limited to the compliance team members, infosec team and cross-department managers who are actively responsible for meeting the regulations and respond during audits
4. Design incentives and awards
Successful audit certifications open doors for new business and opportunities for organizations so rewarding the employees making that possible is a factastic idea. REwards and incentives for successful compliance initiatives instill motivation and demonstrates management’s commitment.
5. Establish proper tools and technologies
Probably the most important factor impacting the cost and effort of achieving compliance are the tools and technologies your organization deploys. Automation is crucial for large heterogenous environments but for smaller environments, a solid system to manage risks, controls and related procedures is a must. A single central system prevents an all hands on deck approach when audit nears and also ensures you have access to all procedures and policies and evidence of enforcement ready for presentation.
By focusing on creating a culture of compliance rather than enforcing compliance we believe you can see tremendous risk mitigation and cost savings. So give it a try.