The following story illustrates what can happen when a compliance officer is confronted with an outdated or incomplete risk management framework. While Frank Roth is fictitious, many real-world organizations face pressing security and compliance issues due to their failure to regularly update policies and procedures. Read on to learn about Frank’s challenges and the choices he makes to overcome them. How would you have responded in his place?
It was Frank Roth’s first day on the job as a risk and compliance officer at a utility company. While Frank had decades of experience creating risk management frameworks for highly regulated industries, joining the utility company was a bold career move and an important promotion for him. After a busy morning of filling out paperwork and touring the headquarters, it was time to assess the organization’s risk status.
Frank expected the utility company already had some solid policies in place so he could jump right in preparing for the upcoming audit he’d learned about during his final interview. He grabbed a binder labeled “Compliance” from the bookcase in his office.
Frank flipped to the last page and couldn’t believe the listed date: 2016. That can’t be right, he thought. He imagined there must be some missing data because the last documentation added to the compliance notebook was two years old.
His heart pounding at this alarming discovery, Frank emailed chief information officer (CIO) Shondra Washington to schedule a meeting.
Missing Data Reaches Epidemic Proportions
“Well, you know I started just two weeks before you did,” Shondra informed Frank.
Frank didn’t know that — but he did now. Since it was now his third day on the job, it must only be Shondra’s 17th. Frank realized there was indeed no chance Shondra had compliance documents that hadn’t been added to his notebook.
“I’m sorry to hear your compliance notebook’s so far out of date. Frankly speaking, my experience hasn’t been all that different,” Shondra said as she tapped a pen against her desk. “As a matter of fact, I discovered the IT team’s master inventory list hadn’t been updated in nine months.”
While Shondra went on to discuss the epidemic levels of shadow IT she was trying to harness, Frank began to panic. The company’s next audit date was approaching quickly. At a loss, he struggled to summon his usual dry humor.
“Well, meeting over a thousand specific compliance requirements and identifying risks will require knowing what’s on the network,” he said.
Information Labeling and Handling Ceased to Exist
Frank and Shondra’s meeting was scheduled for an hour but ended up lasting the majority of the afternoon. Frank learned when it came to information labeling and handling, things were even worse. How was this possible?
Shondra told him the most recent information labeling and handling policy, which defined information labeling updates as the CIO’s purview, was 18 months old. Frank knew the utility company had brought new assets onto the network in an aggressive expansion into renewable energy sources — and it had undoubtedly acquired new customers.
He couldn’t even begin to wrap his head around the amount of data assets that were unlabeled and unaddressed in the access policy.
He knew the organization was swimming in data. He couldn’t even begin to wrap his head around the amount of data assets that were unlabeled and unaddressed in the access policy.
Identity and Access Management Mystery
Shondra assured Frank she was working hard to create an updated inventory and get her hands around information labeling. However, she was hesitant to provide a solid timeline on either project. Frank glanced down at his notes and noticed an item labeled “privacy impact assessments (PIAs),” which he knew was an analysis of how information is handled. He asked Shondra about the state of identity governance.
Shondra had an uneasy expression, so Frank continued: “User access controls should be able to determine what users were added and when — who left the company and whether their user IDs were revoked. I also need to demonstrate which IT administrators have access to critical systems.”
“Well, I wouldn’t really describe the current state as identity governance,” Shondra said. “More like ad-hoc user access chaos. I kicked off an identity governance audit my second day on-site, but it’s not going to be done for a few weeks.”
Frank knew he and Shondra had both taken new roles hoping for the best — and had ultimately stepped into an ordeal of mismanaged regulatory requirements and processes. Unfortunately, he wasn’t sure how to manage risks when IT leadership was struggling to maintain the status quo.
Digital Transformation Disaster
Shondra worked tirelessly over the next week to bring the IT department up to par. Frank faced an internal compliance and risk management framework that was years out of date, but he did his best to fill in the gaps where he could. The overwhelmed new hires discussed recent app releases over lunch.
Shondra mentioned that the last CIO had focused on cost savings and customer satisfaction. As a result, the customer portal and energy efficiency apps were pushed through DevOps without dedicated time for security testing.
Frank felt his blood pressure spiking as Shondra detailed how the CIO’s “digital transformation” plan included a third-party development agency and unreasonable development timelines. Worst of all: It relied heavily on business users for feature-based acceptance testing.
“So, you’re telling me both customer apps and employee apps could be full of vulnerabilities?” Frank asked.
Shondra nodded slowly. “You know, it’s way more expensive to fix these bugs post-release than just do secure DevOps in the first place,” she said. “I wish we knew the extent of the vulnerabilities, but I have to direct more resources towards actual testing. From what I hear, the requirements kept changing and projects ran over budget, so the last CIO pushed the development agency to do even less testing than usual.”
Frank had no idea how they’d pass upcoming audits — let alone stay ahead of complex regulatory mandates.
Frank had hoped he’d find well-documented, updated risk management procedures on his first day. Instead, he was completely uncertain whether the company’s business dealings were even ethically sound. Furthermore, he had no idea how they’d pass upcoming audits — let alone stay ahead of complex regulatory mandates.
Risk Management Framework From the Ground Up
Both newly hired and seasoned compliance and risk management professionals often struggle to develop a proactive stance on business risk management. According to one study, up to 89 percent of organizations didn’t fully understand General Data Protection Regulation (GDPR) requirements six months ahead of the deadline for compliance.
Fortunately, Frank isn’t destined to face a failed compliance audit or to call his former employer to beg for his old job back. Today’s compliance climate is complex and costly, but the right solutions can help leaders reduce risk and stay ahead of regulations — even if they’re dealing with serious compliance fatigue.
Frank could implement an effective risk management framework to help combat the issues he’s facing. His first step might be to identify all network endpoints, as well as both authorized and shadow software, in seconds using an automated endpoint detection solution. He could then apply policy-based compliance to both endpoints and cloud services with a security intelligence platform — making his job a whole lot easier.
By leveraging comprehensive identity and access tools, Frank could bridge the gap between messy patchwork approaches and unified, compliant management for user governance. A two year-outdated compliance notebook is definitely stressful, but an ecosystem of data security and protection solutions would automate the overwhelming task of identifying data records that are subject to industry-based regulations.
By leveraging comprehensive identity and access tools, Frank could bridge the gap between messy patchwork approaches and unified, compliant management for user governance.
Rather than give in to his despair, Frank should start by developing a plan based on outdated standard operating procedures using an incident response solution. He could make security tools do double duty, using packs of pre-built and customizable reports for compliance reporting. Finally, he could use a security app exchange to implement built-in compliance reporting and collaborate with incident response experts to develop a truly resilient plan to mitigate risks.
Risk management and compliance is far from simple — especially for individuals like Frank who are struggling to reconcile complex regulatory requirements with outdated operating procedures and scrambling to manually assess organizational risk.
By leveraging automated solutions to create a comprehensive ecosystem of support for risk management, compliance and business resiliency, security leaders can get a better handle on the organization’s security and compliance posture and prepare for the future. Compliance requirements and networks are changing quickly but developing total oversight and change management can instill confidence in overwhelmed security professionals.
Read more articles about risk management and compliance
Market Segment Manager, IBM X-Force and Security Intelligence