Top Reasons Compliance Programs Fail and How to Minimize Exposure

    Companies are struggling to understand and implement the right policies and controls to meet ever-evolving compliance mandates. Yet strict adherence to individual compliance standards means they’ve likely implemented controls they do not need, while inadvertently leaving out important controls necessary for an effective program. This cookie-cutter approach can actually leave organizations more exposed than ever before to potential security risks and controls failures.

    In this slideshow, Unified Compliance CEO, Craig Isaacs, explores current compliance gaps, major compliance challenges and practical tips to create more effective compliance programs.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 1

    Creating an Effective Compliance Program

    Click through for eight compliance challenges organizations face, as well as steps that can be taken to limit exposure, as identified by Craig Isaacs, CEO, Unified Compliance.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 2

    Compliance Gaps

    Compliance Challenge #1: Compliance Gaps

    In the alphabet soup that is today’s regulatory compliance landscape, there are several prominent standards that are so broadly implemented that organizations often mistakenly believe that adhering to one, and one alone, is sufficient for building an effective, legally defensible compliance program. But did you know that though ISO 27002 has 238 direct controls, only 16 percent of them overlap with the Sarbanes-Oxley Act (SOX), which mandates 174 direct controls? And when these two standards are compared with PCI DSS 3.0, which has 293 direct controls, only nine common controls span across all three.

    To reduce audit requirements and curb compliance chaos, organizations must find ways to more efficiently analyze these gaps and overlaps.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 3

    Skyrocketing Costs

    Compliance Challenge #2: Skyrocketing Costs

    According to Thompson Reuters, more than one billion accounts were compromised last year alone, costing organizations globally up to $1 trillion dollars in losses. In this current threat landscape, regulations and standards continue to increase exponentially, causing many organizations to experience governance, risk and compliance (GRC) like a constant, never-ending root canal…without painkillers, while spending massive amounts of money and time on research, hoping they’re getting it right.

    Organizations must find ways to reduce audit and compliance costs by properly defining system scope and related control requirements. This can be done by leveraging a comprehensive compliance framework that provides guidance across a wide range of standards, laws and individual mandates.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 4

    Compliance Mapping Madness

    Compliance Challenge #3: Compliance Mapping Madness

    Too many compliance professionals get bogged down trying to make sense of their IT, privacy, physical security, records management and supply chain requirements. They spend countless hours mapping specific controls to compliance efforts in a piecemeal fashion: regulation statement by regulation statement.

    To automate and streamline this time-consuming and maddening process, organizations must adopt tools that enable them to sort through up-to-date demands, figure out which controls they need to implement, and understand how they overlap, quickly and efficiently.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 5

    The Spreadsheet Burden

    Compliance Challenge #4: The Spreadsheet Burden

    Evidence gathering, compliance correlation and ongoing compliance review means massive piles of spreadsheets and templates – and a nagging headache to go with them – for most compliance professionals.

    To ease this chronic spreadsheet pain, organizations should look for ways to sort through and identify the controls that directly impact them – while eliminating those that do not.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 6

    Speaking Different Languages

    Compliance Challenge #5: Speaking Different Languages

    Compliance professionals shouldn’t feel like they need an interpreter to communicate with IT and legal teams. In addition, most also serve as a translator to make sense of the laws and standards they’re charged with analyzing. However, a truly effective compliance program will rely on a framework that not only includes a single, comprehensive taxonomy that intelligently classifies standards, guidelines and best practices, but also clearly defines terms through a common language so that people across the organization can get – and stay – on the same page.

    Having a common language in place helps bridge the gap between ever-evolving regulations and internal company processes. It ensures that content is easily digested and understood, helping to streamline workflow, empower teams to make faster, better-informed decisions, and maximize business performance.  

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 7

    Unique Business Requirements

    Compliance Challenge #6: Unique Business Requirements

    Many organizations believe they can address compliance requirements using high-level frameworks including NIST’s Framework for Improving Critical Infrastructure Cybersecurity or SANS Institute’s Top 20 Critical Security Controls (which is actually 246 direct controls, not 20). High-level frameworks require organizations to fill in the blanks using more prescriptive controls from other authority documents, whether laws, standards, or contractual obligations like PCI.

    Organizations must determine which implementation controls must be in place to meet their specific requirements. This can be done by leveraging a framework that aggregates all disparate cybersecurity regulations into one database, allowing them to create a concise, harmonized list of necessary compliance controls to implement.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 8

    Endless Auditing Cycles

    Compliance Challenge #7: Endless Auditing Cycles

    Organizations should not rely on disjointed compliance systems that don’t speak to one another – it often just results in duplicated efforts and missed or misunderstood requirements. This further drives up costs and decreases the effectiveness of overall compliance efforts. Not to mention the toll it takes on compliance professionals, who are forced to test and re-test the same compliance controls over and over again manually.

    Organizations must find ways to streamline auditing by measuring compliance across a multitude of domains, including PCI, SOC1 and SOC2, HIPAA, FISMA/FedRAMP and ISO, at the same time.

    Top Reasons Compliance Programs Fail and How to Minimize Exposure - slide 9

    Overwhelmed into Inaction

    Compliance Challenge #8: Overwhelmed into Inaction

    While it’s important to understand the whole picture when it comes to your risk landscape and compliance requirements, some organizations become so overwhelmed by it all that they give up entirely, instead of making incremental improvements to their program and processes.

    For example, if a company has gone through a series of failed compliance audits, it would be wise to focus attention on one area at a time, PCI for example. After they get it right, they can then move on to master the next area – instead of starting from the beginning all over again.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles