So your company has decided to become compliant, and you’ve been nominated as the point person to lead that charge. The Sales and Executive teams realized that achieving compliance certification could give your organization a competitive advantage in the marketplace, and they’re counting on you to gather up the documentation and get all the paperwork signed off with an auditor. “Shouldn’t be too difficult,” your boss says. “I think we’re nearly there already.”
Welcome to the Compliance Zone.
You will quickly discover that there’s a lot they don’t tell you about achieving compliance when you first get started. The downside is that there’s a lot more to it than you expect when initially becoming compliant. It can be overwhelming. To put it bluntly, managing compliance sucks. But they also don’t tell you how to make compliance management suck less. As challenging as this journey can be, there are key moves you can make to minimize the enormity of managing a compliance engagement at your organization.
Let’s take a look at the things you need to know as you get started on achieving compliance for the first time.
Achieving Compliance Isn’t Easy
No one tells you how much effort it will take to become compliant. Many organizations go into it thinking that they have most of the requirements in place already, and it’ll just be a matter of tweaking what’s already there. They don’t, and it won’t.
A lot of folks assume that all you need to do is use a secure compliant hosting provider and you’re compliant. Others think that the IT department should already be compliance experts. Security and compliance isn’t IT. There are overlaps, but the areas of expertise are vastly different. Just because you have top-shelf IT personnel, that doesn’t mean they’re prepared to lead your company to achieving compliance. Security and compliance are more challenging than making sure you have antivirus software.
There are countless moving parts to manage, documentation up to your eyeballs, and hundreds of line items to track across a complex compliance workflow. It’s virtually impossible to do it all manually. It can be done, but you’ll spend hundreds of man-hours and thousands of dollars in operational costs to make it happen. And that’s not an exaggeration.
It’s not like getting an online certificate where you watch a series of videos, take a test at the end, and get a badge that you can put on your website that says you’re compliant.
6 Keys to Building a Kickass Compliance Program
Compliance Takes Longer Than You Think
The Executive and Sales teams are excited, because of the competitive advantage in achieving compliance. But enthusiasm wanes when they realize the project is pulling you and your team away from your core responsibilities.
Achieving compliance pulls you and your team away from your core daily activities and demands your attention on a regular basis — for months. Executives may expect you to spend a couple hours here and there on compliance, but it will take dozens of hours every week.
Many organizations that take on their initial compliance run spend as little as 6-9 months, but it often takes much longer (my very first trip to the compliance rodeo took about 18 months) navigating their way through it. And once you’ve achieved certification, compliance becomes an ongoing reality for your entire organization. If you take on this effort, you’re in it for the long haul.
Be prepared for the time commitment, and develop a plan to account for it.
Don’t Sweat It! How to Master Your First Compliance Certification Project
Becoming Compliant Isn’t Cheap
Unfortunately, there are plenty of companies in the compliance industry that make it sound like you can purchase an affordable solution, use it as a silver bullet, and — BING — you’re compliant!
The truth is, if you’re earnest about becoming compliant, it won’t be cheap — especially if your organization is starting from Square One. Between internal labor costs, running the program, various vendors / solutions needed and keeping track of everything, you should be prepared to invest $250k to initially achieve compliance, and $100k to $200k annually when accounting for all of your costs.
That said, many companies have some aspects of compliance in place, so the total investment depends on the state of your company walking in. In either case, achieving (and maintaining) compliance isn’t cheap.
Featured Case study
Phoenix Financial Services Navigates Compliance Chaos
Learn how TCT removed Phoenix Financial's overwhelming challenges of becoming PCI compliant.
How to Make Managing Compliance Suck Less
If you’re starting to think that managing compliance really sucks, you’re getting a realistic view of the effort ahead of you. But you can make it suck less and take a lot of the pain out of your compliance management efforts.
Related: Your First Compliance Audit: Will You Crush It or Get Crushed?
Get executive commitment
Your experience achieving compliance will be astronomically better if you’ve got the full support and buy-in of your executive leadership. Not just permission to become compliant, but a full commitment to do what it takes to take it on the right way. That means:
- Consulting experts about what it takes to achieve compliance, and counting the cost ahead of time
- Investing in the tools and resources you need
- Prioritizing your compliance efforts, even when it means taking time away from core responsibilities
Rely on a knowledgeable guide
You can do compliance without a security and compliance consultant, but it’s a hell of a lot more painful to figure it out on your own. When you use a consultant, you immediately benefit from their years of experience and their depth of knowledge. Consultants do nothing but security and compliance on a daily basis. They’ve seen it all, and they know the terrain — the pitfalls you don’t see and the maze of paths you can get lost in.
While companies that go it alone can take up to 18 months to become compliant, a consultant can typically get a committed company there in six to nine months.
Invest in the right compliance tools
A nominal investment in compliance management software can drastically reduce your time and efforts across the organization. TCT Portal was built to streamline your compliance engagement by removing duplicate work, automating most of your manual processes, and providing real-time status updates. These capabilities combine to reduce your compliance time by 65 percent or more, eliminating hundreds of hours and saving thousands of dollars — and getting your people back to the work that builds your revenue.
Buying Compliance Management Software? Better Ask These Questions First.
You can run the numbers for your own organization and see how much time and money TCT Portal can save your company. Check out the ROI calculator for TCT Portal.
Manage Compliance with Confidence
Achieving compliance takes more than a silver bullet. It takes hard work and a good deal of effort. But if you know what to expect and have the tools you need, you can minimize the pain and frustration — and the costs — of becoming compliant.
TCT exists to put in place the very things I wished I had when I went through compliance for the first time. I would have loved to have an amazing system to help keep track and manage all of our stuff. And I would have loved to have someone that I could open up to, who would be part of my team, who could give me the right answers, the right direction, the right guidance, and help me get prepped up to get through the audit.
Even if my organization hadn’t required a full scale third-party assessment, it would have been great to have an opinion other than my own that the solutions we had in place truly met the objective of the control criteria we were attesting to.
TCT provides consulting and software to make managing compliance suck less. Don’t get buried by your compliance engagement — let’s talk about how you can manage compliance with confidence.