It's myopic to assume that whether an organization fulfills its compliance and security mandates depends solely on the performance of the software it deploys. Software counts, of course, but the results are just as much a product of general attitudes and policies as bits and bytes. These attitudes are set at the organization's highest level. If the top dogs don't care about compliance and security, that negative message is heard by the ground level folks, who act accordingly. And backing for good practices from the highest echelon filters down to those in the field.
This commentary at IT-Director deals directly with regulatory compliance and risk management; security is placed within the overall risk category. The writer makes the point that compliance and risk management are intertwined elements of good overall governance. He says that companies handling these elements as separate functions headed by different people are making a mistake. The commentary, written in the UK, lauds Peapod as a good example of a company that takes this holistic viewpoint. The commentator also lauds a U.S. company, Polivec. The difference is that Polivec's business is to create governance, risk management and compliance (GRC) software that bridges the three silos, while Peapod is a security firm in the UK.
It's interesting to look at the results of a survey conducted by Forrester Research on behalf of RSA on data security issues within this framework. The release describing the survey says that many organizations report being in a "reactive mode" and are struggling to create and implement effective security strategies. The tie between the commentary and the survey (available here) is implicit in a comment from Dennis Hoffman, a vice president and general manager at RSA:
Organizations are grappling with the 'data security dilemma': how to respond to specific regulatory mandates and pressing issues while laying out a holistic and sustainable strategy for data loss. Too often, the point-solutions being deployed today complicate and can potentially derail long-term efforts to get this right.
Hoffman goes on to say that securing information is a process that cannot be adequately addressed through a series of unrelated "projects and products." The bottom line of both the commentary and RSA/Forrester survey is that success (be it in regulatory compliance, risk management and/or security) is the product of positive governance at the highest level of the organization.
A more thorough treatment of corporate governance and a distinct subset, IT governance is available at Ecora. Most broadly, corporate governance is defined as "a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained." IT governance fits within the corporate governance framework and is the responsibility of those in charge of the company. As can be expected, it focuses on the use of IT technology and procedures to further the corporate governance goals. It focuses on "delivery of value to the business" and reducing risks.
This all sounds very conceptual and academic. The bottom line is very clear, however: Good corporate practices -- be they compliance with regulatory rules, security or answering the telephone courteously -- must be set at the top. Clearly, this doesn't always happen. A good first step toward good governance is getting upper level executives to understand the linkage between compliance, risk management and security -- and the fact that removing the barriers separating the three ultimately will help the bottom line.