Compliance is a fact of life for just about every company \u2014 especially in highly regulated industries such as healthcare, financial services, and government. And while compliance is often under the mantel of legal, compliance, risk management, or other departments, IT is certain to be involved in any organization\u2019s compliance efforts.\nCIOs and other top tech executives must be aware of all regulations that involve data, privacy, security, and other technology elements. They can play a key role in ensuring their organizations don\u2019t get hit with hefty fines for non-compliance.\n[ Discover the keys to effective IT governance in the digital era and beware these IT governance myths. | Check out the top GRC certifications. | Get the latest IT advice by signing up for our newsletters. ]\nIT executives at healthcare and related sectors for years have had to deal with the impact of the Health Insurance Portability and Accountability Act (HIPAA), for example, which mandates the security and privacy of electronic healthcare information. But the regulatory environment has become increasingly complex, especially with the emergence of so many new rules covering data privacy, including the EU\u2019s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).\nDozens of countries and US states are following suit with similar regulations to safeguard the data of individuals. Research firm Gartner has predicted that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world\u2019s population.\nRegulatory compliance related to IT systems, networks, devices, and data is a fact of life for businesses today, making it a significant area of concern for CIOs. The key is to help compliance efforts without causing difficulties. Here are some mistakes to avoid, according to experts.\nTreating auditors as adversaries\nGetting into a defensive posture is sometimes hard not to do, says Gary Kern, CIO at Middlefield Banking. This can happen when auditors and examiners question IT initiatives and their impact on compliance. \u201cYou have folks picking apart your well thought out strategy, and you know they will comment on something,\u201d he says.\nLetting this create friction will not help matters, however. \u201cIt is always better to have face-to-face discussions and talk about their perspective and contemplate on how that might make your environment better,\u201d Kern says. \u201cThe hope is everyone is out for the same thing, including those who made the compliance rules, and that is to assure mistakes don\u2019t happen, the environment is better, and there is more transparency in the process.\u201d\nKern had a chance to put this tactic to the test with a bank examination. \u201cI wasn\u2019t necessarily on board with some of the preliminary findings, so I had an in-depth discussion with the lead IT examiner to get to the \u2018whys\u2019 of the comments and try to non-defensively explain what we may have been doing instead,\u201d he says. \u201cWe reached an understanding that we both felt was fair, and then moved on.\u201d\nAbout six months later the examiner asked Kern to take part in a bankers panel at an examiners\u2019 annual national training conference. \u201cThat proved to be a great experience for me that provided even better insights into the full process,\u201d he says.\nOften, regulators pick up their observations from internal audit (IA) reports, says Samir Datt, managing director in the technology consulting practice of consultancy Protiviti. \u201cIf CIOs collaborate with and embrace the IA process rather than hide from it, they have an opportunity to proactively address regulatory compliance in advance of regulatory review,\u201d he says.\nMishandling exceptions\nThere are exceptions to most rules, and that applies to regulations governing different aspects of IT.\n\u201cRarely is something the right answer in 100% of the cases, especially if there are business, security, and customer impact trade-offs,\u201d Kern says. \u201cTherefore, it is good to put in place an exception management process.\u201d\nThis includes documenting what is being done and why it might conflict with an existing compliance rule; what additional steps are being taken to meet the compliance objectives; whether bypassing a rule is being done permanently or will be reviewed on a regular basis; and what senior non-IT stakeholder signed off on the appropriateness of the exception.\n\u201cGranted, there are some rules that simply can\u2019t be bypassed,\u201d Kern says. \u201cBut in the situation where a business decision needs to be made to \u2018accept the risk,\u2019 be sure that is fully explained. How intent of the compliance rule may be handled in other ways, or rationale for why it may not make sense in each situation, should be recorded.\u201d\nFailing to prep your team\nAs with most aspects of IT, a lack of skills, experience, and knowledge necessary can lead to problems when it comes to compliance.\n\u201cA strong compliance strategy starts with its team,\u201d says Rashmi Kumar, CIO at technology provider Hewlett Packard Enterprise (HPE). It\u2019s important that CIOs build a compliance team that uses a continuous improvement approach in addressing regulatory requirement changes related to IT, he says.\nHPE\u2019s Global IT Compliance Team \u201crelies on a continuous improvement plan, where we continuously identify changes needed to the compliance program in areas of reporting, engagement, and control management,\u201d Kumar says. \u201cLeveraging our approach to compliance, we have been able to improve our evidence delivery time by five days.\u201d\nCompliance efforts need to be cross-functional, Kumar says. \u201cWe make compliance everyone\u2019s responsibility by including it in the goals for each individual\u201d inside and outside IT, he says. \u201cThis ensures that [the company has] support and engagement from the entire organization, ultimately growing compliance culture.\u201d\nAllowing compliance to dictate security\nWhile IT and cybersecurity leaders need to stay abreast of compliance issues, especially regulatory mandates, \u201cthe goal should always be a sound security program that properly supports your business, company objectives, and the vertical in which you operate,\u201d says Russel Prouix, CISO at healthcare payments company Zelis. \u201cIf you do that, then compliance becomes a result and not simply the goal.\u201d\nBasic security measures are often poorly managed resulting in a stumbling block for compliance, Prouix says. This includes proper patching and vulnerability management, user account security hygiene (or removing accounts in a timely manner when an employee leaves the organization), use of two-factor authentication for remote access, and proper security and mobile device management for mobile devices, he says.\n\u201cProper security requires a top-down approach,\u201d Prouix says. Before attempting to implement any cybersecurity program initiatives, including those that support compliance, \u201cyou must have buy-in from the board, CEO, and executive leadership to set the tone,\u201d he says. IT and security need to\u00a0 then partner with the business to ensure data protection while enabling data to flow for the business to flourish and stay competitive, he says.\nOmitting key technology tools\nThere\u2019s a whole market of technologies that address compliance needs, and while legal and compliance teams might be responsible for procuring these, IT leaders can certainly be involved in helping to select and deploy the most appropriate solutions.\nGartner in September 2021 identified three areas where compliance leaders should focus their technology investments. One is foundational systems of record. Investments in these systems for compliance can reduce the otherwise ad hoc data capture required for reporting and build datasets that could unlock the potential of analytics and artificial intelligence (AI) for compliance, the firm says.\nAnother is digitally enabled workflows. Legal and compliance teams face more work to manage than ever, Gartner says, and digitizing the highest volume workflows is feasible through technology and can deliver significant improvements in workflow.\nThe third area is digital management of risk. Regulatory volatility, digital business transformation, increasing cybersecurity risks, and the magnitude of information derived from monitored risk and security activities are straining organizations\u2019 ability to manage risk effectively through traditional analog means, the firm says. Compliance leaders should look for opportunities to streamline risk management and compliance-related activities and improve their understanding of risks through system integration with operational-level data sources, it says.\nTechnology adoption for the average compliance team lags many other corporate functions, notes Zack Hutto, director of advisory in Gartner\u2019s legal and compliance practice. Teams should first establish foundational systems of record and then invest in tools to facilitate key workflows, before exploring more sophisticated opportunities such as digitally-enabled risk management, he says.\nNot understanding regulation intent\nIn some cases organizations\u2019 understanding of a regulatory issue might not fully align to the regulatory intent, which can lead to confusion. This can apply to IT-related issues such as data privacy.\n\u201cWe often see companies revert back with an answer without really understanding the ask of the regulators,\u201d Datt says. \u201cRegulators often provide observations\/MRAs [matters requiring attention], which is a \u2018hint\u2019 to what they really see as an issue.\u201d\nSo instead of hyper-focusing on the verbiage of the MRA or observation, organizations should really understand the spirit of what is being indicated, Datt says. \u201cA good collaborative dialogue with the regulators helps to understand the spirit of what is being indicated,\u201d he says.\nLacking structured governance\nWhile organizations might have substantive processes and controls in place, they often lack a structured governance and risk framework that confirms risk coverage as well as alignment of their processes and controls to regulatory requirements, Datt says.\n\u201cThe lack of structured and documented processes can lead to unrationalized enterprise architecture\/controls, churn in responding to regulatory or other stakeholder inquiries, or potential blind spots of exposure,\u201d Datt says.\nCIOs and other technology leaders should help facilitate an overall governance structure that brings together information security, enterprise architecture, application, and infrastructure teams in a way that embeds regulatory compliance into technology delivery by design, Datt says.