Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The Most Effective Compliance Managers Possess These Essential Skills
Quick Take
On this episode of Compliance Unfiltered, the CU Guys have a deep look at the key skill sets of those most directly responsible for your compliance success or failure. Most organizations struggle with finding the right person to handle this critical Compliance Manager role.
Adam gives the listeners a breakdown on all the important factors. From what communication skills to look for, to how organizational skills separate the good compliance managers from the great, to those tricks of the trade that only come with experience, the CU Guys have you covered.
All these key elements for your consideration and more, on this episode of Compliance Unfiltered.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the compliance Luigi to your Super Mario. Mr. Adam Goslin, how the heck are you, sir? I am doing fantastic today, Todd, yourself.? I cannot complain, sir. I cannot complain, but today is actually a bit of an interesting day. We have new stuff going on left and right. And one of the new things that we want to chat about is the most effective compliance managers possessing certain skills and exactly what those skills are.
Now, many organizations struggle with ineffective compliance managers over the years ?T this one up for the folks out there. Will you please, Adam? Sure thing. So, you know, compliance manager is a critical role for any organization that’s got security and compliance programs in place. You know, the success of your annual compliance assessments, the success of your cybersecurity protection, you know, it all depends on having the right person in place to, you know, steer the ship, direct the staff, etc. And so, you know, any time that you’re, you know, adding new compliance certifications into the organization, you know, it requires a skilled veteran that knows how to get up and running quickly and effectively, you know, otherwise you’re, you know, you’ve got several risks in play, delays, confusion, chaos abounds, all that fun stuff.
So you know, and a lot of times those moves come with a, you know, come with a little bit of pressure, shall we say. Maybe it’s a, you know, maybe it’s a big contract that, you know, that an organization is attempting to land. Maybe it’s a long -term, really important client that now is mandating, you know, that you as an organization kind of step up your game, you know, whatever. Whatever the driving force may be, or maybe it’s just simply opportunities for the company. An under skilled compliance manager could certainly put things at risk. So, as an organization, you want to be sure that you’ve got somebody that’s effective at the compliance manager in the compliance manager’s seat so that they can assist with active protection of the company and keep things running smoothly and efficiently.
You got it. Let’s talk about how experience plays into things when it comes to compliance managers. One of the most important essentials for a good compliance manager is a breadth and a depth of experience. I can’t tell you. Any of my comments aren’t intended to offend. I’ve seen organizations take people on where the target individual, let’s say they’ve got north of a decade in an organization that is doing HIPAA as an example. They’ve been in that one position for 10 years at the one company, etc. I’m sure there are some people that go in and do HIPAA at a single organization over the course of a decade that are freaking awesome. But my general sense of how that worked out is that the experience with a single standard that has a lot of interpretive variability in terms of does this meet the mark or no, all at a single organization, so basically one set of technology that they’ve had to implement. commented on, it becomes a lot more challenging to have that skill transfer, or translate successfully into a brand new gig type of a deal. So having a good breadth of experience, you want to have somebody that’s managed across multiple different compliance standards, you know, multiple different compliance standards such as PCI, ISO, SOC, HIPAA is cool, NIST, you know, etc. If they’ve got all of these various, you know, all these various standards under their belt, you know, now you know that they’ve seen several different kind of compliance standards over the, you know, across their career, they’re exposed to a bunch of different scenarios and challenges, you know, kind of almost a marker for they’ve been battle tested.
You know? Sure. You know, it’s… It’s got the metals to prove it. I got it. Yeah, exactly. You know, and it’s ideal if they’ve been doing, you know, doing work against a compliant standard with a really broad footprint across the organization. So, you know, as an example, ISO and SOC and PCI, those are going to have, you know, kind of more depending on how they’re implemented or, you know, could have, you know, very broad spectrum of scope across an organization. So, you know, you want to look for somebody that basically has had to cover these standards, you know, across the board, not at an organization where there was a fervent, burning desire to limit the scope to this just this little small section. You know, the broader the scope, the greater the number of issues they’ve had to resolve, the more technology they’ve come in, you know, into experience with, you know, etc.
And then finally, from an experience perspective, you know, certainly is the number of organizations this person has, you know, been doing compliance related work at. You know, there aren’t any two companies, you know, that are, you know, that are identical, you know. So, as you go from company one to company two to company three, you know, or had a position where the person had exposure to multiple organizations. Maybe they were a security compliance consultant. Maybe they were, you know, working at an assessment firm or whatever, you know, if they’ve got breadth of experience, even though it’s a single job, but they have a breadth of experience across a number of different organizations and having to effectively, you know, interpret each organization up against the, you know, the framework that they happen to be working on. You know, now you’ve got somebody that’s really, they’ve seen a lot more, they’ve experienced a lot more, they’ve had to overcome challenges, you know, across those very standard of various organizations etc. You know the more expertise that they’re bringing you know then then generally speaking the better that it is for you know it is for the you know for their capability to step in and be able to really be effective as they as they go down that path.
Sure now I really appreciate that now what level of organizational skill are required for the job. Oh boy, exceptional organizational skills are needed. You know every compliance engagement there’s just a ton a ton of chaos that comes into the mix. The most compliance managers you know feel like they’re simultaneously trying to you know keep 250 plate spinning you know at the same time, you know, it takes somebody with a breadth and depth of organizational skills to be able to handle various things that are going to challenge them, such as the number of moving pieces and parts, the complexity of doing a compliance engagement, not the least of which is the personalities that are going to come into play. You know, the compliance manager’s job, effectively, I’ve used all sorts of expressions over the years, you know, herding the compliance cats, you know, the chief inmate at the asylum, I mean, it just depends, but, you know, one of the biggest threats to a successful annual engagement is disorganized compliance, a disorganized compliance engagement. You know, you’ve got to be able to keep it together so that you’re prepared for going through your, you know, kind of your assessment. You want to have your act together as you’re entering into the conversations with the assessor. You want to be able to translate and transfer the right stuff to them in a timely fashion. You know, so, you know, really being able to effectively manage all of that complexity is critical.
You know, you also, it’s interesting, when you’re in the compliance management arena, you’ve got to be able to multitask. You know, you want somebody that can handle high volumes of elements coming at them from a multitude of directions. You know, you figure, you know, as the compliance manager, you’re literally sitting, you know, in the middle of this workflow stream where, you know, you could have, you know, you could have five to, you know, 20 people pushing evidence up toward you. You could then be needing to review and pass that along to the, you know, the next element of your workflow. You’re catching things that are coming back from the assessor, you know. there’s a ton of things coming, not the least of which is some of the challenges around just being able to get that information, that evidence, in a streamlined fashion. It takes an astronomical amount of organizational skill to be able to pull that off. I have no doubt.
Now, how do communication skills play into effective compliance management? Well, the compliance managers, they’re continuously dealing with people at varying levels of technical capability. So, in one case… So what you’re saying is, they have to be a people person? Well, this is the interesting part about the people in the compliance space. Some of them, yes, are more gregarious. Some of them aren’t, but whether they are or they are not really sits beside the point. Really what it is from a communication perspective is just the ability to tone your communication to the appropriate audience that you’re speaking to. It’s one of the kind of least heralded skills in compliance management. is that ability to one minute I’m having a discussion with the technology gear heads that are configuring network security controls and then I’ve got to turn around and I’m having a conversation with somebody in HR. Then I turn around and I’m having another gear head conversation with somebody in development and then I turn around and I’m having a conversation with accounting type of a deal. You’ve got to be able to shift gears smoothly as you’re having these various conversations. The communication skills that are probably most helpful are those that can more readily make that transition. There’s a lot of folks in the compliance management arena because it takes a great depth of technical skill and knowledge and capability. More often than not, that communication capability is something that’s lacking in that person. If you can find somebody that can do that, then you’re really, really doing well. It’s rare to be able to find this particular skill set, but the one thing I would encourage folks that are either in the compliance management arena or contemplating getting into it, this is a skill that will really set you apart from other people. You’ve got your patients tested on it. on a daily basis. You’re dealing with all sorts of frustrations, whether it’s related to technology process, people, and whatnot. Sometimes you’ve got people that aren’t doing what they’re assigned to do. They’re not completing it. Other people are asking the same question a multitude of times. You’re dealing with delays that could have been avoided. You’re constantly having the people that are supposed to be taking care of these elements are getting diverted, pulled off, doing different things. You’re trying to regain their attention to get them to complete the item. Through all of that, the compliance manager needs to find a way to be an effective communicator and not lose it through the process. Communication, I’m going to cycle back around to that. It’s a rare skill.
People in the compliance arena. You know, people in the compliance arena, you know, generally seem to fall into, you know, into one of a couple of camps. You’ll either see the person that is, you know, they’re almost like the cheerleader, the, you know, please will you help, and you know, things along those lines, being a softie the whole time and being sweet and pleasant and blah, because they want people to feel good about, you know, good about, you know, about as good as they can about the compliance process, right? You know, on the other end of the spectrum, you know, you’ve got the folks that are, you know, basically, I don’t know, we’ll call it militant about the whole thing, you know, they don’t care about being friendly, they got a job to do, they’re gonna make sure it gets done and done on time and blah, blah, blah, and they’re basically gonna grab everybody by their ear, drag them through the mud, whatever they got to do to be able to get them over the finish line. You know, and really for those compliance managers, it’s, you know, it is a, it’s a learned skill over time. You know, there’s times when you need to be compassionate, there’s times when you need to be understanding, and yet, there’s times when you need to know, when do I start to ratchet it up? You know, how do I start to ratchet it up? You know, things along those lines, I mean, you’ve got, there are a ton of just, you know, kind of underlying innate capabilities of good people in the compliance management space, you know, that you end up building with that, you know, kind of long term, you know, long term level of experience, you know, it’s really a serious learning ground for, you know, for people that are in the space. I have no doubt.
How is technology pivotal for success here? Well, you’ve got to, you’ve got to be able to, you know, got to be able to have access to the right, to the right technology. You know, you can, I can bring in the worlds most amazing compliance manager. but they won’t be able to do everything themselves, either that or they’re going to send themselves on a needed break from working if they give it a shot. The more that you have manual systems that are in place for managing compliance work, then the less effective they’re going to be than if they have the right technology to automate things which are a complete waste of time. There are a lot of compliance managers that basically get stuck using Excel spreadsheets, and it’s forcing them to spend countless hours needlessly updating statuses, tracking pieces of information by hand, updating their tracking sheet every time somebody’s sending something or rejecting something, etc. And honestly, it is literally for those in leadership. The Excel sheet literally is one of the singular largest wastes of time that you can force them to endure. Because on a compliance engagement, there’s tens of thousands of interaction points on a typical workflow. Why in the hell are you tracking them all manually when you can do that automatically in real time? Certainly on the technology side, I’m a huge proponent of the TCT portal. The reality is that it will eliminate, it will automate it in the technology arena, eliminate the need for just inefficiencies, etc.
It’s actually surprising for the organizations that use the technology properly, you know, they can reduce their overall compliance engagement time by as much as 65%. It’s absolutely 65. That’s why, especially if you are, once you get on, you’re using the system.
If you get it optimized, you end up using it year over year, etc., you know, year one, you’re going to save some. Year two, you’re going to save more. I normally will say to people that it usually is about three years or so before you start to feel like you’re gaining your sea legs, you know, on an atypical compliance, you know, management style engagement. Just because, you know, you have to learn from experience and, you know, have a notion of continuous improvement, but the technology will definitely go a long way to mitigating, you know, realms of pain for not only the compliance manager, but for the overall, overall team, those that are submitting their evidence, anybody involved in submissions of evidence, confirmation of things, et cetera, and even the assessors and consultants that you may have on your engagements, they’ll benefit as well. So utilizing a technology solution specifically geared for compliance management, that’ll go a long, long way to check in the box for your technology needs.
Now, what skills do a lot of organizations seek in a compliance manager position that may not be necessary? Well, you know, in the compliance manager arena, what I’ve seen more often than not, now it depends on who you’re looking for, but one of the misconceptions is that although this person, you know, the person that we get, they absolutely have to have some type of a degree or whatever it may be.
you know, in, you know, security or compliance management or whatever it may be. A lot of times people push for CISSPs, you know, things along those lines. But, you know, the misconception is this, certainly, having to go through, again, you see a CISSP or like certification, you know, would be, it would be a path where you would be able to prove out that you had a certain baseline of book knowledge, you know, for being able to do the job. So, but that’s about as far as it’s going to go. You know, there’s other certifications out there that are generic, you know, generic in their nature and whatnot. And the bottom line is, is these certifications, the, I used to agitate the heck out of my dad back in the day, but I used to, I used the expression that I didn’t need a piece of paper to tell me I’m smart. You know, the bottom line is that when it comes to the security, to the certification space, make no mistake, the piece of paper doesn’t mean you’re smart. The piece of paper means that you manage to memorize certain things and be able to regurgitate those onto a test. The real world experience that these individuals have, you know, what they’ve done, how many businesses, some of the, a lot of the things we talked about before, you know, that’s where the, where the real key is. If you’ve got somebody that has, you know, has the right, you know, kind of the, you know, you’ve got the right technology ready to, you know, ready to be leveraged. The person is one of those, you know, kind of, I’ll call it compliance management unicorns that, you know, really, you know, has worked out, you know, the, the communication approaches, etc. And you know kind of has a breadth of experience, but doesn’t have a piece of paper that says they’re smart Don’t think twice You know, but you know that that’s that now if I’m going to take somebody if I if the job market as it has been For now for some period of time in the space if the job market is tight and you got to go and pick somebody, pick up somebody that is Green, you know either very or mostly green Okay, fine The, the piece of paper that says they’re smart gonna at least check the box that says in some way shape or form at some point in the game. They knew all of these pieces of information that you know might come in helpful You know but , you’re hiring somebody like literally brand new you know to the space Yeah, the, the piece of paper is a lot less important than the than the experience if you will That makes total sense.
Parting shots and thoughts for the folks this week. Adam? You like to use an expression of the compliance, the person that has to hold the compliance program together. And I use an expression called human glue. Because that’s just like visually what I think about. When I think about the person that is literally holding all of this stuff together with sheer will and determination type of a thing, that’s kind of the job of a compliance manager in many organizations. It’s vital for the organizations security stands. I can’t overstate just how important it is. Find somebody with the right skills, the right capabilities to lead the charge. I’ve seen a lot of organizations that either hired or promoted the wrong person. And it makes for an absolutely disruptive mess that negatively impacts the organization overall. The bottom line is that I think as a general statement right now, given the work climate, etc., I think that organizations will struggle. I didn’t use the term unicorn. Lightly. Because that’s pretty much what it’s like when you’re trying to go find somebody that’s in the security and compliance space these days. If you do find the right one, it does feel like finding a unicorn. Because it’s just there aren’t a ton of them out there. They’re in high demand. And it’s rare to find somebody that just has all the right skills. But hopefully sharing the discussion that we have today with the listeners will at least help them with evaluating the people that they’ve got to evaluate to go ahead and check the box to lead their compliance efforts.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd . And Coshow, and i’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
