Why do I love compliance, he asks…

During a recent introductory session with a new senior infrastructure engineer, he asked me “what is wrong with you, why do you love compliance?”. Ok, he didn’t say “what is wrong with you", but his tone and face certainly said it. My un-filtered response was “I don’t. I’m not a particularly compliant personality.”

The truth is though, I do love compliance. I’m not a ‘compliant’ person. I say what I think, I argue those with greater titles than my own. But, I love the work I do. I nerd out on compliance.

Compliance is often thought about in the context of definitions like “a disposition to yield to others” a.k.a. passive, or “conformity in fulfilling official requirements” a.k.a. boring as f; but there is another definition of compliance: “the ability of an object to yield elastically when a force is applied”. This is the definition that I nerd out on.

Businesses and business units are constantly exposed to forces that are beyond their control. Whether in the form of new regulations, demands from customers, changes in the marketplace, or priorities from board, the strongest organizations are those that can respond to these demands versus simply react. Many treat these forces (or obligations) as hurdles that you clear and forget, when in fact, they should be harnessed as guardrails to help your team achieve their goals more easily.

What does this mean from a practical perspective? Well, let’s explore with some real life experiences.

Years ago I was hired into a company that was about to kickoff a financial audit for the prior 4 year period. They had failed to do their last four annual audits, because best as I could tell, they had no established policies and procedures for handling much of anything. I spent the next handful of months climbing through an HVAC closet digging out overstuffed boxes, piled high with disorganized paperwork that sometimes did and sometimes did not match the year written on the outside of the box- something I discovered as I blew the dust bunnies off each piece of paper so I could read the text. I made existing employees search their email boxes. I contacted vendors to request copies of old receipts. I navigated lots of hurdles trying to gain access to old accounts. By the time we finished the audit- and yes, I did get it completed successfully- we were entering into the next audit period. When I got the auditors’ first audit requests I sent them back all requested evidence and information in less than 2 hours. How? I used the first 4-year audit as an opportunity to establish an organized receipt storage process, to clean up the accounting software, to enforce a segregation of duties with expense approvals and account reconciliations being documented and stored properly. When the auditors came back with more requests, I just had to open an online file and do a quick text search or date lookup and boom, I would have what they needed and it would include the appropriate approvals and accounting in our books. This is the power of compliance. The added effort that I brought to day to day activities included renaming files with YY-MM-DD_Payee/Recipient_$$. That was the entire extra effort on a daily basis. This saved weeks of work per year. Compliance done wrong is having the receipts are kept somewhere (but don’t ask me where, I just work here). Compliance done right is that there is a system that makes things work efficiently and ensures you don’t have unauthorized payments, audit findings, etc. Force: Financial Auditors and the regulatory bodies. Elasticity: Solid financial controls and file storage organization.

You might be thinking that’s just organization, it’s not compliance. Fair, it is. That is true. It’s not only organization though. It’s compliance done thoughtfully. It’s taking compliance obligations and building processes around them that both 1.) make day to day work more efficient and 2.) build trust.

Let’s take another example: third party risk management. Several regulations and industry security standards require some form of vendor risk assessment and monitoring. Many company’s look to insurance and contractual agreements to solve third party risk, but if you are thinking about trust, this is wildly insufficient. Neither insurance nor contractual agreements protect the personal data, they simply address liability related to personal data. A third party may meet its contractual obligations, such as encrypting the data or not reselling the data, but that doesn’t mean their services or software are secure. It doesn’t mean they won’t be breached. Of course, it’s impossible to guarantee anyone won’t experience a breach, but appropriate risk assessment both meets compliance obligations and can identify actual security risks, allowing companies to apply compensating controls or remove the risk. At one company I worked for, we made decisions about data transfers, compensating controls and even terminating the use of certain third parties based on our initial and annual risk assessments, and saw no less than 4 instances when our preemptive actions avoided impact to our company from those third parties experiencing breaches; as well as multiple instances of being protected against potential exploits of third party vulnerabilities due to the defense in depth mechanisms we’d put in place. Force: Insecure third parties, external bad actors. Elasticity: Third party risk management.

That, my friends, is why I love compliance (done right!). When compliance leaders thoughtfully capitalize on the ‘we have to’s to build strong, compliant safeguards companies are more resilient. Security staff are empowered. Customers can truly trust.