Automating Compliance for Better Vendor Risk Management

Folks, we have to talk about the tension that exists between security and compliance. It’s not what we think it is.

Many perceive that tension as a conflict between people — compliance officers and security teams scowling at each other during management meetings, each trying to position the other for blame if a data breach or some other regulatory failure were to happen. 

Well, that’s not accurate. This is a tension about the work of security and compliance, rather than the people who do it. 

If for no other reason, this is true because many businesses don’t even have a dedicated compliance function. Rather, the security team does the compliance work: endless requests for audits, documentation, changes to internal control, and so forth. 

That’s not efficient. It’s a drag on business, because a security team awash in audit requests is quickly overwhelmed. It also means more risk of error as overburdened teams struggle to answer those requests. Plus, the security team has a day job of, ya know, protecting against hackers and malware. 

At the same time, however, regulatory requirements aren’t going to recede any time soon. We need a better approach to managing compliance burdens. 

So what should that better approach entail? 

First, Diagnose the Security Problem 

Photo by Charles Deluvio on Unsplash

Overburdened CISOs might reasonably scream ask, “Where is all this regulation coming from?”

It comes from a new generation of privacy and data security rules proliferating around the world. These rules impose formidable duties of care for the data a company has in its possession, and they hold the company responsible for third parties working with that data on the company’s behalf. 

That means compliance with these regulations is about continuous monitoring and protection of data, rather than point-of-time audits. It’s also about vendor risk management, and your company’s ability to demonstrate competency at that task. 

Hence the proliferation of security audits — which now consume far more of a security team’s time and resources than appropriate. For example, one recent analysis from Coalfire found that a majority of companies now spend at least 40 percent of their security budgets on compliance. Nearly half spend 20,000 man-hours a year on compliance, and 58 percent say compliance as a significant barrier to entering new markets. 

Those numbers are terrible, but they do make sense. A multinational business might find itself saddled with a half-dozen compliance frameworks: data privacy regimes in multiple countries, data security regulations to bid on government contracts, and Sarbanes-Oxley frameworks for internal control over financial reporting. Those frameworks are similar, but not identical. Which means your assessments, if not done carefully, can be duplicative and inconsistent. 

Meanwhile, clients and sales prospects still want to see that your company’s security risks are under control, so that they can entrust their data with your business. So the requests for assessments and documentation will keep on coming.

Nobody can fault customers for making those demands. From their perspective, it’s a reasonable request; you probably ask the same of your vendors. But this predicament does demonstrate that compliance and security are two dimensions of something in very high demand: clear, documentable, vendor risk management. 

That’s the work that a company has to get right, both to save the security team time and money, and to make the company more attractive to business partners. 

What a Strategic Compliance Solution Must Look Like

Photo by Volodymyr Hryshchenko on Unsplash

Let’s restate that tension between security and compliance again, for the sake of clarity. It’s a part of a larger struggle to achieve better vendor risk management, both to establish your own company’s regulatory compliance and to be a more attractive business partner to potential customers. 

If that’s the challenge, then the company’s strategic need becomes more clear: better use of technology to deliver vendor risk management, so that security and compliance needs are fulfilled at the same time.  

What should that technology be able to do? Again, a few capabilities become clear right away, when you consider the security team’s needs. 

For example, you’ll need a way to map out risk assessment tasks across multiple frameworks; that avoids duplication of effort. You’ll also need automated collection of evidence and automated reporting; that allows you to produce documentation and assurance for customers more quickly. 

As much as possible, you’ll need to integrate your technology with other systems in the business, to assure that any changes in operations that might affect internal control are immediately flagged. For example, if an important control is assigned to someone who is furloughed or laid off, missing that detail can be a huge risk. At the least, your compliance technology should automatically alert you when a control isn’t executed or tested in a timely manner, so managers can investigate. 

Ultimately, all of this is about fitting security and compliance into the company’s broader business strategy. If you can automate compliance, and then report and demonstrate that state of compliance on demand — that reduces your own vendor and regulatory compliance risks; and makes your business a more reliable third party, and therefore a more attractive vendor to your customers; and lets the IT security team focus on more sophisticated security threats. 

That’s the goal. Achieving it is neither quick nor easy, but then again, our current state of affairs isn’t quick or easy either.

Challenges Along the Way


Perhaps the single biggest challenge to revamping security and compliance along these lines will be defining ownership of this project, especially for smaller firms. In many cases the CISO may end up leading the work simply because nobody else has the necessary expertise. On the other hand, CISO don’t usually have an abundance of free time — so consider how to win executive support for the idea, and then perhaps oversee a consultant or other outside contractor who moves things forward on a daily basis. 

Regardless of who leads the project, another challenge will be identifying controls in the business so they can be mapped to regulatory requirements. This step is important because without it, you can’t perform a gap analysis to see where controls don’t measure up; and without that, you can’t develop a plan for remediation. 

Along similar lines, the security or compliance lead will need to work with business units to stay abreast of changes to operations after automated compliance comes to pass, so you’ll know when controls no longer work or exist.

This is especially important during the Covid-19 crisis, when layoffs or furloughs might leave key duties unattended, or work-from-home mandates might introduce new risks that don’t yet have controls assigned to them. Remember: if business operations change but your controls don’t, then you’re testing something useless — and not testing something important. 

In the final analysis, and as we mentioned in a previous post, all of this is about investing in the company’s ability to manage risk. Making the business case for that investment isn’t easy these days, so above all frame the argument in those terms. Better security assessments aren’t a compliance exercise; they’re a fundamental part of vendor risk management. And with every passing day, that is becoming a fundamental part of business success.

How to Start Automating Compliance Tasks

For further tips on how to start to automate compliance tasks and improve your cybersecurity posture, check out the following resources:

About Author

Matt Kelly is the editor of Radical Compliance, a blog that follows corporate compliance and risk issues. He also speaks on compliance, governance, and risk topics frequently. Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.

The post Automating Compliance for Better Vendor Risk Management appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Matt Kelly. Read the original post at: