Keys to Getting Started With Compliance

ComplianceI have recently jumped head first into a number of compliance initiatives both for our internal needs as well as for our customers.  To say that I have learned a lot in 3 months is an understatement.  I was working with a compliance consultant who at the beginning of the exercise said, “Mike, you seem like you know a little about this stuff and you could probably play a compliance consultant in a movie but we’ve got a lot of work to do.”  Not the comment I was looking for at the time but I am always up for a challenge.  (By the way, what movie would need an actor to play a compliance consultant?)

What I learned is this: compliance is confusing, compliance is important and that I really like compliance.  Compliance is the most exciting topic, and I get that but what I realized is that even the best IT people are working from memory and experience.   It gives the company a recipe to work from.  I also started to realize that many people do not like compliance because they do not understand it.  As I started to learn about it, I feared it a lot less.  I also started to leave because of the statement “we need to do this for compliance.”  That statement will not give your co-workers to buy-in and its likely to stall a lot of your compliance initiatives.

In an effort to starting breaking that sinking feeling when someone brings up compliance here are a few key principles to give everyone a little confidence that they can figure this out.

What type of compliance applies to your company? – HIPAA, COBIT, PCI, SOX, SOC2, the obligatory alphabet soup is the first daunting task you need to look at it.  The basic question here is; are there laws you need to follow because of the business you are in or are you trying to differentiate your business by having additional controls?  SOC2 (Service Organization Control) is a choice but many companies achieve this certification to stay in step other their industry.

What kind of data do I have? – This is the main driver from the previous question.  You may think you are not exposed to HIPAA because you are not in healthcare but do you have HIPAA customers?  Have they shared HIPAA data with you inadvertently?  These are tough questions but you need to step back and look at all your data.  At that point, you need to start classifying all data whether it is public, proprietary, confidential, sensitive, etc.  You’ll find that this has other benefits to your business beyond compliance.  You will begin seeing the different part of your business in a new light and it will help you make better IT decisions.

Write It Down! – You can be making exactly the right IT decisions and have a rock-solid process but if it is not written down, it’s not going to help you.  Some very simple evidence that the right steps are in place go a very long way.

You Still Get To Run Your Business – The biggest lesson of all for management is that this is a choice.  Of course, if you have laws that apply to your company and you are not following that is a big risk.  Realizing that you can make decisions the way you always have is empowering but now there is a new factor, compliance.  In the same way, the financial aspects of an initiative play into decision-making now compliance (and ultimately compliance risk) is a factor.  It’s something else to consider, but it is not the only driver.

I have seen a few smiles and eye rolls around the office when I tell people I’m interested in compliance.  People think I might be a little crazy but I’m interested in challenges that feel complicated at first and with a little time can start to be easily understood.  If you want to speak with us or me specifically for a few minutes about this I’m all in.