How to Solve the IT Compliance Conundrum?
Oct -2019(1): A former patient care coordinator at the University of Pittsburgh Medical Center gets 1-year jail term for HIPAA violation
Oct -2018(2): Hong Kong based airline Cathay Pacific suffered the world’s biggest aviation security breach after the data of up to 9.4 million passengers was exposed – passport numbers, credit card details, national identity details
June-2017(3): Copenhagen headquartered shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally attacked by ransomware, causing outages at its computer systems across the world
These are undoubtedly alarming stories. But, if you are in any role related to security, compliance, or risk, they can induce worst nightmares.
We are in an age which is witnessing exciting trends. On the one hand, technology is advancing at a break-neck speed, empowering organizations to be agile, lean, and produce disruptive Innovation. On the other hand, several new threats to business have spawned which were never imagined earlier such as sophisticated cyber-attacks and non-compliance risks. For instance, one of the important consequences of Digital Transformation is exponential growth in data which provides crucial insights to enhance customer experience significantly. However, it is an overwhelming task to manage and govern the storage, access, and movement of such large data-sets within a modern hybrid IT landscape. Especially when the industry and government regulations are continually evolving and becoming increasingly stringent. In short, it is an interesting conundrum for business and IT leaders to solve – Leverage technology while staying compliant.
One of the significant innovations in technology in the past decade has been Cloud. It is the de-facto standard for all the technology-enabled business transformations. Storing and hosting business-critical applications on Cloud invites several discussions and concerns around security and compliance. As Cloud enters into its teens, it is now an established fact that it offers more reliable, scalable, and secure IT infrastructure than the traditional in-house data center. However, it is critical to understand that the primary responsibility to stay secure and compliant is with the organizations and not with the Cloud providers. The cost of non-compliance is staggering – huge penalties, lost reputation, lost business, opportunity cost of time invested in avoidable legal battles.
Based on our conversations with several Enterprise customers and Industry experts, here are our recommendations to approach Enterprise-wide IT Compliance:
- Do not view Compliance as a tactical checkbox exercise but as a strategic imperative which has a vital role in business growth. Short-term, stop-gap measures will turn out to be more laborious, expensive and time-consuming in the long run
- Compliance management can be costly with the investment required on People, Process, and Technology. Automation can be of significant value. It not only mitigates the risk of compliance oversight but also frees up valuable time of your critical resources to focus on innovation
- Since IT and regulatory landscapes are continually evolving, it is helpful to engage with service providers who have good domain knowledge and have acquaintance with forward-looking technologies
- Implement a carefully designed solution to govern IT compliance which is
- Comprehensive – Supports local and global regulatory policies, hybrid, multi-cloud and IoT use cases
- Continuous – Monitors your organization’s compliance posture every single moment
- Autonomous – Enforces the compliance policies automatically, right from the time of on-boarding a new IT service through its entire life cycle. Learns continuously, detects anomalies, provides insightful compliance-related recommendations
A disproportionate focus on Compliance can quietly rob all your attention, energy, and money, leaving no room for innovation. Instead, approach it with a strategic mindset to gain a formidable competitive advantage.
“..while protecting networks and critical systems is the ultimate goal, a data recovery plan must also be in place, so in the event of the worst happening and critical services being knocked out, you can still operate. Companies which have this real focus between the preventive and recovery measures and investment will have better standing against future threats” said Lewis Woodcock, head of cybersecurity compliance at A.P. Moller-Maersk, in this insightful ZDNET article by Danny Palmer.