CIO lessons 4:The science of compliance

See also: CIO Lessons 1: How to manage change CIO Lessons 2: How to manage people CIO Lessons 3: How to manage your supplier

The CIO panel Matt Peers, CIO, Deloitte Richard Walters, CTO, Invictus Dave Upton, Associate Director, KPMG CIO Advisory Mehlam Shakir, CTO, NitroSecurity

Compliance is one of the CIO’s trickier duties as there is no rule book explaining how to go about it. Instead, it’s all about keeping up-to-date with an external and shifting landscape.

Typically, IT runs a big piece of the compliance pie but the CIO’s role and involvement will also be determined by who’s there alongside him; if there’s legal counsel and a CSO doing a lot of the work, it may diminish the burden of responsibility.

But beware: if there’s a breach, the finger may be pointed at the unwitting CIO, because IT is usually involved.

Begin with policy Process and policy should always be the starting point, not the end game, and technology point tools are merely sticking plasters. Remember that from a risk management point of view, technology is about mitigating risk.

There are other options for dealing with risk: one is to transfer it through insurance policies, and there’s an argument to be had about whether bypassing a technology or a country eliminates risk.

The CIO panel’s view: “Compliance will not prevent a breach. Look at how the IMF was compromised by the Shady Rat operation – it would have passed compliance time after time.”

Establish the owners The large enterprise will likely have a chief compliance officer running a command-and-control operation.

Medium-sized companies may put the finance director in charge, while IT will always have a major part in delivering compliance solutions, and may even own it.

Whoever’s in charge, the modern method is to create a risk register and put someone in charge of it: this overall owner needs to consult the functional heads of areas where risk resides, getting HR, IT, finance, legal and facilities management around the table at the very least.

The CIO panel’s view: “IT typically has a key part in delivering compliance solutions, but it is unlikely to be the only player.”

Identify the blind spots Physical security is coming into play more and more as the risk within is recognised and mitigated, and CIOs need to take note of this trend.

Surveillance was never a concern of the IT director in the past but convergence and the ubiquity of IP networks have changed all of that: disciplines that were previously separate have been pushed into the same room.

The CIO panel’s view: “Physical security used to be about screwing cameras to the wall and had nothing to do with IP networks.”

Map out the scope There’s nothing wrong with the silo approach which entails a dedicated team and technology for health and safety, finance security and the Data Protection Act (DPA).

The problem with this approach is the amount of duplication of effort and technology involved. The risk register helps avert this and most importantly provides an overview of where the major risks lie.

The CIO panel’s view: “As budgets grow or shrink or the external landscape changes, a holistic view enables you to tighten or loosen the levers – and the associated cost.”

Create a fail-safe standard There is some overlap between many regulations and thus a strong argument for having a central database or framework that maps regulations – and their commonality – onto company systems and applications.

Implementing a comprehensive standard is a good way of getting the compliance foundations in.

The beauty of ISO 27001 is that it has 133 controls across 11 areas: if you comply with this, you’re also in a good place from the point of view of the DPA.

The CIO panel’s view: “ISO 27001 is the gold-plated information security management standard and a foundation of sound compliance.”

Focus on the budget Compliance is a big black hole. It’s possible to pour buckets full of dollars into it and still be breached in some way. The more pertinent question, therefore, is “Am I in with the pack when it comes to spending?”

Over-spending or under-spending are equally punishable offences. It’s possible to analyse compliance from a bits and bytes point of view and to rack up further costs implementing awareness and training programmes, too.

But crucially, the board will want to know its business is as good as its peers without going wildly out of kilter on spending.

The CIO panel’s view: “Every time we went in and did an audit, the CIO would say: ‘That’s great. But how do we stack up against our peers?’”

Manage the risk, not just compliance There’s been a swing towards compliance over the past couple of years, which is an indicator of the boardroom’s increased concern with regulatory risk, box-ticking and the subsequent back-covering.

CSOs admit they spend money nowadays not on security systems but on passing audits, but the problem with this approach is it’s possible to be compliant and still suffer data breaches, as was the case at Sony, where hackers compromised the personal details of 77 million PlayStation Network users in April 2011.

The CIO panel’s view: “The intelligent approach is risk management, which acknowledges there will always be residual risk but takes steps, through policy, prices or technology, to mitigate it.”

Use auditors’ language Translating events that have happened within your company into a language that auditors understand is critical not only for compliance but also for cost control.

You may record a security or privacy breach, but this will only be clocked as a control number by the auditor who assesses the action you have taken.

Precious time can be wasted communicating this, and when the auditors are on site, the meter is on.

The CIO panel’s view: “Use frameworks that map regulations and compliance requirements onto company systems and you can bridge the gap between policy maker and implementer.”

Make sure the meetings happen Compliance is an extension of good governance and the CIO’s experience of the latter discipline and expertise in project management will stand him or her in good stead.

Other functions such as HR and finance may not have this project experience nor the same reference points, so make sure you don’t run away with projects and find yourself out of synch with colleagues.

The CIO panel’s view: “Your peers in finance and HR will be grateful for your leadership and advice on handling compliance projects.”

Be clear about responsibility Typically, a compliance project may start with one objective on the back of an enquiry from the Information Commissioner.

Often, this limited project is hijacked to cover multiple areas, because it may be cheaper to double- or triple-up, but the danger here is that responsibilities may not be re-scoped in line with the project.

The CIO panel’s view: “There is more scope-creep and blurring of boundaries on compliance projects than with any other project.”