Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Create a Culture of Compliance
Quick Take
To be truly effective at tracking and maintaining your compliance, you’ll need more than a set of policies and procedures. You need a culture of compliance that permeates every level of your organization. Companies usually see compliance as a siloed activity that rests on the Chief Compliance Officer’s shoulders, or is commonly referred to as “an IT thing.” It has no relevance in the day-to-day operations of the business. But compliance is EVERYONE’S job.
On this episode, we discuss the value, and the secret, to creating a culture of compliance within your organization. The Compliance Unfiltered guys chat about how compliance is NOT just an IT thing, and how to make it an integral part of the whole life of your company.
In this episode, we discuss:
- What exactly is a Culture of Compliance?
- Why is it important?
- How to get from where you are now to having a Culture of Compliance.
- Once you’re there, how to keep that culture thriving.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome into this week’s edition of Compliance Unfiltered. I’m Todd Coshow alongside the one and only Adam Goslin. Adam, how the heck are you today? I’m doing good, Todd. How about you? Man, I can’t complain. I really can’t. I try, no one listens, we keep it moving. No, in reality, I’m sitting here, it’s a beautiful day, I’m having a conversation with you. And this one is actually something that I’m really excited about.
I’m a big fan of building cultures within organizations. I think that ultimately, if you can galvanize a team, or an organization around a central theme or idea, you’re going to be able to drive to success in a more efficient and effective manner. And I think that leads perfectly into our conversation today, Adam, which is around a culture of compliance. Why is that important? Well, as I was mentioning in the last podcast, the fact is, security and compliance engagements are not just an IT thing. When the programs being appropriately run, it should have impacts across the entirety of the organization. That means all the personnel, every department, and all the vendors. And so it stands to reason that, everyone associated with the company not only has a part to play, but also has responsibilities in relation to your security and compliance program.
I mean, how, I guess is the best way to go about that? I feel like there’s too many companies that treat their annual security and compliance engagement just like an event, yay, and then it’s over. Am I wrong? Yeah, I can’t tell you how many companies treated it as an annual event. It’s like, oh, it’s that time of year where we go through the security compliance scramble. The reality is, that if you’re doing it right, then there’s things that happen throughout. Part of the challenge that I’ve had through the years of dealing with companies, and trying to help navigate them through their security and compliance, is that they were treating it like some annual event. Everybody goes heads down for fill in the blank weeks, usually months, that type of thing. And then at the end of it, everybody goes, oh, thank God, we made it, we got through that. Now, we’re going to go back and do our real jobs, now that we’ve gotten all this security compliance mumbo jumbo out of the way. So, they look at the security and compliance annual event as some gigantic PETA that they just have to get through, and then everybody goes back to doing what they’re doing. When you’re running a real security compliance style program, there’s important tasks that are driven either by events that happen within the organization, or that are time-based.
Well, let’s talk through some of those. Like, what is it? What does that look like? Yep. So, companies need to be paying attention and validating things all year long. So there’s certain events that are going to occur that will instantiate changes. But, then there’s also items that are just time-based. So, some events that occur are hiring somebody, shifting someone from department to department, any terminations or departures, all of those events should be triggering activities within the organization. You look at things like their change control. Now, this could be change control. Let’s say they’re doing software development and they’ve issued a new product release, or a new release for fill-in-the-blank system. This could be a patching change control. This could be applying firmware to their firewalls. It could be all sorts of different elements that fall into that change control aspect. But change control should be triggering change control, but there’s also a bunch of ripple impacts from change control. If I’m going in and I’m making a change, and that change is materially effective, it could ripple into my inventory, it could ripple into my network diagrams, data flow diagrams, and all sorts of different kinds of supporting aspects and elements of documentation for the organization.
So, the change control arena oftentimes is one of the tougher ones for companies to be able to get their arms around. Certainly, the deployment of any new assets would trigger changes to all of those aforementioned ripple impacts that I was just talking about, and any major internal technical changes. So what I mean by that is, let’s say that we decided to recode a site from one language to another. That’s a major change. If I’m going to switch out the firewalls for the organization, we’re going to switch from using this to using that. Changes to the operating system where I’m going to switch from Windows-based to Linux-based. So, there’s certain things that are going to happen within the organization which are going to fall into that major change. Those will trigger a series of internal events, not the least of which is change control. Also depending on what security and compliance requirements that you’re subject to, generally speaking, things like, we need to go rerun our vulnerability scans. We may need to go in and do additional rounds of penetration testing. Things along those lines are going to start coming into play.
Oh, I was just going to ask you, as those things start to come into play, I feel like there has to be some sort of way to stay on top of this stuff more consistently. Am I wrong there? No. The reality is, as I was going through these engagements for the last 12 plus years, one of the big problems was this mentality of everybody treating this like an annual event. One of the things that TCT did, actually over five years ago at this point in the game, it’s funny how fast time flies, but over five years ago, we made a change to the TCT Portal, we implemented a mode that’s called operational mode. So what I was tired of, and what I was encountering was that mentality of this annual event notion. And so, I would go in and I would show up on site for the annual auditor event for fill in the blank company, only to find out that, oh, well, we forgot to do this, or, Bob didn’t do that, or he was supposed to pass it to Mary, or Mary was supposed to pass it to Frank, whatever, everybody would point right. Basically, they wouldn’t have elements that they should have in place. So we talked earlier about a series of event driven things that would happen within the organization. But in any given security compliance certification, there’s items that need to be done every day, every week, every month, every quarter, twice a year, once a year. And so, that operational mode in the TCT Portal, effectively helps to feed organizations a dribble list of things that, hey, these are all the elements that you need to do throughout the period. It also provides them with checkpoints, so they can go in, they know what needs to be done and when, and stay on top of it. And that shifting into that mentality actually made for a huge, huge difference, in terms of the volume quantity of elements that became a problem at the end of the annual scramble that was happening before, because we break these things up into quarters.
And so as of Q1, we could go in, gather evidence, make sure everybody was doing what they needed to do, make sure they actually provision that evidence, so that we could go start putting it into the review process. And by looking at it, at the end of their compliance quarter one, that also meant if there were problems, tweaks, adjustments, or changes that needed to be made, we were catching this stuff really early in the cycle. So by the time that we got around to Q4, or semi-annual period 2, all of which happens at the end of the year, we now have a roadmap. The client was used to what they needed to produce, and we could make sure that we had it all buttoned up. Oh my God, it made things so much better because, when we get to that annual event sitting alongside their assessor, and we’re just able to say, here you go, everything is ready to go. Want that in a red or blue ribbon? We’re on it. And so, it really made a very substantial difference in the feel of that annual event that other organizations were doing. When companies go through and they leave all their compliance to the end of the cycle, it dramatically increases the chances that they’re going to have problems without corrections. And my problem was, I was sitting with the assessor right? I’m theoretically trying to help this company navigate the waters. How do I explain that Mary didn’t do fill in the blank, or Bob doesn’t have evidence for this quarter, whatever?
It’s a situation that is untenable, and really puts the assessor in a bad situation, the client’s not happy, it’s bad all the way around. So really taking this more proactively made a huge, huge amount of difference in terms of the path these companies would go through.
Sure, and that makes a ton of sense, but I guess now it’s probably time that we actually address really the elephants in the room here, and that is a culture of compliance. We’ve talked around the periphery of it, but what is it exactly? Well, it’s really a fundamental difference in how the organization goes about doing what it’s doing. So we talked earlier about the fact that they have this annual scramble that they would go through. There’s a real stark difference between the company that goes through the annual multi-month scramble, and the company that has security and compliance, that takes on this feel that it’s part of the DNA of the organization. One of those organizations, is a lot different than the company that goes and puts up this good for the company banner, that the crafty leadership gets from some management consulting company. It’s a stark contrast to people putting lip service to their security compliance program. Well, I feel like there’s a lot of that out there. Oh yeah, I mean, unfortunately, there’s a lot of companies which like to be, I think they’re delusional in terms of how they go about managing their program. Because they’ll put a lot of lip service about how much they care about security and compliance, meanwhile, they’re not paying attention to it. Let’s say that their scramble takes three months. Let’s use nine months of the year. They’re not paying any attention at all to security and compliance, they’re just trying to pin it all together and scrape together enough evidence at the last second to try and hopefully, blessedly pass their fill-in-the-blank audit. It’s just a bad situation. The culture of compliance, has to be pervasive. It has to get through all of the personnel, all the departments, all the vendors. They need everybody on the same page, rowing in the same direction when it comes to security and compliance.
So, I mean, how does a company migrate towards a culture of compliance? Where they are currently, into changing that mindset throughout the organization over towards one that is compliance-focused? Well, it starts at the top, bottom line. No offense to the various owners, or levels of upper and middle management of most organizations that I’ve worked with, or that I’ve encountered. But that buy-in’s got to happen at the top. It doesn’t do anybody any good to have leadership that’s obviously not supportive of the security and compliance functions. The employees, departments, vendors, they see through that BS lip service that’s put on by the uppity ups, if they obviously don’t give two craps about it, it’s more of a thorn in their side. How do you think that the internal people are going to end up perceiving the state of the security and compliance program?
I mean, ultimately when we’re talking about business, it’s going to boil down to the dollars and cents, right? Yeah, well, I mean, there’s a lot of examples of how you see what I call the BS lip service, bubbling up within the organization. This is just to give the listeners some good introspective points to go look at their own organization. And if you’re checking any of these boxes, well, then you don’t really have a great culture of security and compliance, and have some work to do. So some examples. You’ve got a CFO that’s constantly, never-endingly droning on about how much money we’re spending on security compliance-related expenses. If they are that tight on the purse strings related to what’s being spent on security and compliance, well, really how important is it? Yeah. I get it that you have a fiduciary responsibility to the organization to try to make the dollar stretch. But there’s a stark difference between wanting to achieve a particular line item goal, and not wanting to spend 10 grand, but instead wanting to spent eight grand type of thing. Okay, fine. But where they’re just straight-up griping about everything under the Sun that you have to go spend, then that’s just a key indicator. More often than not, the salespeople. Oh my god. What? Oh, yeah sorry to all the salespeople out there. But when sales is just bitching about how much the security and compliance functions are slowing down the onboarding of their new engagement, we can’t just fling dollars through so we can all get these wild paychecks. That’s another indicator. CEOs that will de-prioritize either CEOs, or leadership teams which are sitting there with a list of things they could possibly go in and do, right projects that we need to get done. They’re constantly de-prioritizing any of the security and compliance elements, and training of the security compliance program. They’re de-prioritizing security and compliance against, what they like to look at as their business objectives, and then there’s this annoying security compliance crap that we’ve got to do. It doesn’t matter how they put it, but anybody that’s paying even a modicum of attention is able to just see through this stuff. It’s like having a spotlight behind cheesecloth. And then, you’ve got internal leadership that are just griping about all the negative impacts the security compliance program is having on their department. Oh, we can’t get our real job done because we’ve got to go and screw around with the security compliance stuff again. You hear it from a bunch of different angles, and those are just some of the examples that I’ll see within organizations. And if you’re seeing that in your organization, there’s some room for growth. The reality is we need to take this stuff seriously, it’s in everybody’s best interests.
So, well, I guess let’s take the opposite approach here. Let’s say in the puppy dogs and rainbows version of this, everything is in place and people are on board and they’re very excited about the new culture of compliance that their organization is building.
How do they maintain it? How do they make sure that it sticks around? How do they make sure that it truly becomes pervasive over time, and not just around that annual event? Well, certainly, we talked about it starting at the top. But not only does it need to start at the top, that ball needs to be carried by those that are middle management and above. Everybody needs to be taking this stuff seriously. If they’re taking it seriously, their attitude, their approach, their push, all of these elements of the security and compliance machine, are going to start driving in that singular direction of managing, maintaining, and taking the program seriously that they’re trying to get put into place. Another element is, just making sure that training’s being performed in accordance with compliance requirements.
Now, what a lot of folks don’t realize is there’s a number of different elements of training that come into play. So certainly, general security awareness training, improving the overall vision towards security of people across the organization. So in some organizations, I’ve seen them take a couple of different approaches. Sometimes it’s the same training session for everybody, and then they end up having some specialized training for certain members of the team. So maybe they’ll have front-liner training, and then in-depth advanced training for folks that maybe have greater exposure like IT. There’s also secure development training. So if your organization’s doing secure coding for a particular solution, which you’re coding from the ground up, then there’s some secure developer training that needs to come into play. There’s also specific training related to compliance around incident response. So your incident response program, whoever’s involved directly in the incident response team, they’ll go through annual training. So all of those are specific prescriptive trainings that will happen in most organizations. But, you also need to go look at, I’m gonna call it internal training, right?
So making sure that all of your personnel are up to speed on the internal procedures that need to be done. So, when we go through the annual event, I’ll give you HR as an example. We’ll go sit down and talk through, okay, well, when we’re gonna onboard somebody, what are all the activities that need to happen? What are the steps and stage gates? Who needs to provide approval? Then who does what? Who provisions their AD accounts? and who adds them to groups, and what groups should they be a part of? Well, that’s all great. And we’ve gotten through that annually, but then right after the compliance thing, right after the annual audit, they go and bring on two interns and one new person in HR. Well, make sure that they’re trained up on what all needs to be done. Because those internal procedures that happen, those internal procedures are really important. We were talking earlier about having that ongoing look to operational compliance for the organization, and not making it just that annual event. Well, if you don’t train the internal personnel on those internal procedures, then that ends up showing itself. All of a sudden, now I’m collecting Q3 evidence for people that we’ve onboarded. And now we’ve got people that didn’t follow the internal process. We don’t have the artifacts that we need to be able to provide as evidence for the security compliance engagement.
Well, I guess that’s the question, how do you ensure that level of accountability? Well, and that accountability when it comes to the internal procedures, that’s something that has to be happened internally within the department, right? They know when they’re bringing on personnel. They’ve got to have a locked up process for the onboard. It’s not just go in and onboard them, whip them an email account, and make sure they’ve got access to their stuff and wish them luck. But when they get into the department, somebody needs to do some internal departmental training to make sure that the new resource knows and understands how things are done, and what things they need to do. when it comes to the training, making sure that, that training gets refreshed periodically. I’ve seen in more organizations than not, somebody could, whatever, somebody back in 2016 made the template for the security awareness training, and then they’ve never touched it since. Make sure that it’s changed. I mean, people are going to get bored after year two, three, and four hearing the same stuff. So mix it up a little bit, add some new content, get some new information included in your security awareness training, give them real world examples of stuff that’s really happening right now, within the last year type of thing. There’s a lot of different ways to be able to do that. We’re talking about persisting that culture of compliance. It really comes down to how folks look at the security compliant function of the organization.
There’s also fun stuff you can do. Different contests and programs. Who can find the biggest improvement item this quarter? Give away a $50 gift card. You start getting people thinking about it, wanting to help and protect the organization. Actually, it’s pretty cool watching everybody get behind that security compliance program and become part of it. That’s really what you need to end up doing. Then on the flip side of that, with any kind of structure that you’ve got, with any program that you go lay out, there’s a lot that needs done and put in place. Any program needs an enforcement arm, right? So make sure that you’re holding the employees and employees partners, vendors, and managers accountable, If people are violating policies, and they can just get away with it, with a slight slap on the wrist, that says several things to the folks within the organization. Number 1, it just underscores how little you care. Number 2, if there’s no consequences, then who’s going to bother giving a crap about doing it right or not, they’re just going to do whatever they want to go do. So if they know that there’s an enforcement arena, then that will go a long way by not withstanding policy violations for most security and compliance programs. Part of that requirement is there are repercussions, written repercussions.
So one thing, especially for numerous organizations I have seen. I’m not a gigantic fan of either end of this spectrum. So on one side, you’ll have the eternal softies of the world, that’ll let everybody get away with murder. And on the other end of the spectrum, you’ve got the dictators, right? It’s got to be somewhere in the middle. It’s got to be tempered. But there has to be some form of enforcement.
So HR needs to be ready to enact write ups for policy violations, holding those employees accountable. Because the minute you go in, it’s actually pretty interesting. The minute that somebody goes and gets written up for not following this policy, whatever, all of a sudden, the word gets around, everybody starts paying more attention. So it’s a combination of things. I’m not a huge fan of the heavy handed security compliance program, because people tend to then resent it. But it’s got to be a combination of holding them accountable, while getting them engaged, and having management support while bringing the employees in, and being part of that program by encouraging their input, encouraging their feedback, and putting together programs where they feel like they’re an active participant. Make it something that it’s not something that everybody talks about, It’s just something that everybody does because it’s part of the deal. Yep, yep, that’s for sure.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
