Auditor Insights: Compliance from the Start

by Shannon Lane / April 12th, 2018

Why Don’t Organizations Start with Compliance?

At its core, business is a function of time, vision, service, and money. What do we provide? How do we intend to provide it? What takes precedence – the opportunity now or the infrastructure to support things tomorrow? How do we do what we do in a way that makes sense with the resources we have? I’ve found that compliance tends to be one of those things that’s sacrificed due to the time it takes – time that could be spent elsewhere. After all, there’s always more business to pursue, more contracts to sign, more growth to focus on, and more client issues to address. A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet…

As auditors, the secret we know is that a system built with compliance in mind isn’t usually more expensive than the fast, easy solution. A business process or IT solution has inertia; it’s hard to change, especially once it becomes core to the enterprise and its operation. Every shortcut taken during the design processes, technology solutions, or internal systems haunts us forever. It’s always lurking there, waiting to come back and bite us just when we think we’re okay. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.

Tone from the Top

When building a foundation for a culture of compliance, you must start from the top. Your leadership team, management, senior executives, stakeholders, board of directors – whatever your organization calls it, start there. Senior management’s support will fuel a compliance program.

In many gap analyses, it’s often revealed that what senior management thinks is going on, and the actual process that’s been implemented, are completely separate and unrelated things. I’ve had CISOs tell me about how their employees would never send credit card information over email, only to have their accountants say that this was just normal business practice and they didn’t see the problem with it.

A compliance program isn’t an optional step. It has to be included from the start, as early in the process as possible. In today’s age, where information is the most valuable commodity that we possess, understanding how we use, secure, and manage that information should be ingrained in us.

Security can be simple, but not when it’s ignored and slapped on at the last minute, when the auditors are on their way. Compliance is a way of existence, something that should be embedded into corporate cultures. Designing secure systems around business needs ensures that compliance and security are not an inconvenience.

Is your organization struggling to get management’s approval on compliance programs? Are you confused about the cost vs. the benefits of an audit? Do you have a compliance program, but can’t seem to effectively train your employees? Contact us today, we’re here to help!

About Shannon Lane

Shannon Lane has over 20 years of experience in information services, including healthcare IT, e-commerce data extrapolation, network administration, database administration, and external audit work. Lane now serves as an Information Security Auditor at KirkpatrickPrice, represents KirkpatrickPrice on the 2018 HITRUST CSF Assessor Council, and holds CISSP, CISA, QSA, MSDBA, and CCSFP certifications.