Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Common New Compliance Manager Mistakes
Quick Take
On this week’s episode, the Compliance Unfiltered, Adam and Todd take a thorough look into the common mistakes of new compliance managers.
We’re all human, we all make mistakes, but what are the ones that compliance managers are most prone to?
- Why should new compliance managers take a “Crawl, Walk, Run” approach to a new organization?
- What type of relationship should you be developing with the company’s top brass as a compliance manager?
- And what type of preparation should a Compliance Manager put in to truly be prepared?
The CU guys will tackle all these topics and more, on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow. Alongside a man who’s got compliance days circled on his calendar every day, Adam Goslin. Adam, how the heck are you? I’m doing fantabulous. How about yourself? Man, I can’t complain. Can’t complain. Can’t beat fantabulous, but we’ll do what we can here. Today we’re going to talk about mistakes, and we all make them, and it’s just part of the deal.
But we’re going to take a hard look at some of the common mistakes that new compliance managers make. So directionally, what are new compliance managers prone to do? Well, I mean, whether they’re coming in as a new hire, or in some cases, some poor soul gets nominated.
We nominate you to be the compliance person. Regardless, right? I mean, it’s human nature. Everybody wants to come into their new position, and make a difference right out of the gate. And so typically what they’ll do, is they’ll just go head first into doing it. And the thing that they miss is, they’re about to drown from 18 different directions. In the long run, for long term benefits, there’s a much better approach. They can take the time out of the gate, understand the context of the organization, which then better arms the compliance person for making the right decision.
Well, I guess that leads me to this question. I’m curious, why should new compliance personnel take that crawl, walk, run approach? Well, it’s important for them to understand that environment, right? You’re walking into something that’s astronomically complex. So I’ll give you some real world examples, right? You’re walking into carrying the baton for your organization. You’re going up against, even if it’s just PCI, you’re talking about hundreds of line items of stuff that needs done. You may have a series of vendors in the mix. You may have a plethora of internal departments in the mix. You could have decisions that were made around how the organization is doing what they do now, that were based on reason that you don’t know. Well, gaining that understanding of the environment and players, reasons, etc. Those are all critical and important things. Now, can you just throw all caution to the wind and go head first and whatnot? Well sure, but those rash decisions as you’re running through the process, are going to lead to pitfalls. You know, maybe a compliance manager sundown’s some system. Oh, we don’t need this, lets dial it off. Come to find out, it’s one of the systems that they needed to have in place, to support compliance. Maybe there’s a vendor whose purpose isn’t fully vetted out. Well, this other vendor also does this one thing. So why don’t we just go ahead and consolidate vendors and poof, they go off running down the path, not realizing that the vendor they’re ousting wasn’t just doing that one thing, they were doing another three or four things that they didn’t even know about. So gaining understanding is huge, in terms of doing research when you’re walking in.
If at all possible, have a conversation with whoever your predecessor was, that got the honor of carrying the compliance baggage for the company. Talk to them, become their friend. I mean, a lot of people get hung up on trying to like make their mark. At the end of the day, it’s more important that you do it well, than you make your mark. And so talking to them, and learning from what they know, learning mistakes that they’ve already made that you now don’t need to. Have conversations with the list of vendors, going through and reviewing any prior compliance reporting framework, or tools that you have in place. Understanding how this stuff is being done and managed today. You can’t change a thousand things and expect everything to go swimmingly, but get your arms around all of those various and sundry items. Are you going to be happy with what you find? Probably not. But the bottom line is, gain an understanding so that you can make smart and informed changes. It doesn’t mean that you need to sit in this analysis paralysis for years on end. And, you’re just putting off these critical changes. You can make them at the right time, but just make them at the right time. I guess that’s the bottom line. I think that’s really profound. I really do.
Now talk to me about managing up in this role. What should the new compliance person’s relationship be like with the company’s C-level suite folks? What is the top brass going to expect out of this person? Well, the most important element of that relationship is the fact that, while the new compliance person has received the wave of the scepter, the scepter has touched both of their shoulders, some people spoke some words, etc. That’s all great and everything, but you have to be on the same page with the leadership. You need their buy-in. Just because they waved the scepter, doesn’t mean they’re just going to do anything you say. You’ve got to establish a relationship with these people, gain their buy-in, gain alignment with them. It’s critically important in any organization, that you need to have the security and compliance support coming from the top down. If you’re attempting to singularly steer the ship of compliance for a company, well, if the top brass aren’t on the same page, and or they don’t take it seriously, or they’re not being supportive, and or in some cases I’ve seen, deliberately or inadvertently, violating the core tenets of security and compliance for the company, then your job is made astronomically more difficult. And so, you wanna get with the people in the C-suite, or top brass, whatever, and get to a plane of common understanding. Why is what you’re about to go do important to the company? Not just why is it important in general, but why is it important to the company? What’s the benefit of this function? Why in the hell did you get the job? They obviously thought it was important enough to go put somebody in the hot seat. You need to attempt as best you can, to make a connection between their stated reasons and the reality of your position. You’ve gotta close that gap. So getting the groundwork laid with them, establishing regular meetings. Now, a lot of them may bulk at this, right? So you’ve got several options that you can go down.
Certainly, if you can get, hey, we’re gonna do a half an hour every two weeks with these core people at the C-level type of thing, fantastic. If they start pushing back, oh gosh, we’ve got so many freaking meetings. I don’t want another meeting to go throw into the mix. Then work with them, maybe they have a weekly leadership meeting, maybe get on the agenda every two weeks. But the important part about establishing this groundwork, and gaining that meeting cadence, etc. Do not, under any circumstances, allow these meetings to just slip away. It’s so easy for everybody to say, hey, look, we’ve got important stuff to do, so we’re just gonna knock off the security and compliance discussion this time. We’ll regroup in another two weeks. Meanwhile now you’re going four weeks, the next thing you know, it’s six weeks, and eight weeks. Your job if you will, is to be that voice for the organization, so that you can go ahead and gain that cadence, if you will. So don’t let the meeting slide. Start, and as a practitioner, be really cognizant of not wasting their time. The execs are just looking for bullets, they’re looking for high level, they’re looking to make it efficient, effective, and move on. So don’t earmark 30 minutes, when you can get it done in 15, don’t earmark 15 if you can get it done in 10. Make sure that these things have structure, that you’re prepared, that the meetings flow. Similarly ask the executives, are you getting out of this what you expected when you walked in? Are there changes that I need to make to what I’m doing? Is there information that you’re curious about that I’m not delivering? You want to make sure that it’s a two-way street, that you’re doing everything that you need to do. You’ve got to be able to get to the point where you can establish and keep that relationship with the uppity ups. That makes sense.
Now how should the new compliance person identify what compliance is actually in play for their company, like what certs do they need? So, the first question can be, hey, what certifications are we doing today? Go and ask that question. Certainly we talked earlier about vendors. So if there’s assessors, auditors, and consultants in in the mix, go pull them, go pull the internal personnel, get a solid list of here’s all the things that we do on fill in the blank cadence. Now the one thing that I will flag here, is that something like PCI or SOC as an example, those are things that will happen with regularity each year. But, there’s some certifications that will pop up every three years, there’s some certifications that will pop up with a heavy load every X number of years, with a lighter load on the off years. So, really make sure that you understand the landscape of what all we’re doing right now. That said, I would also encourage the new compliance person, don’t walk in with this, okay, well this is what we’ve been doing since the dawn of time, so it must be right. Ask questions. Part of your job, is to be the voice of security and compliance for the company. So, I would go and have conversations with various folks in sales, specifically sales leadership. Oftentimes the sales folks, especially the frontliners, the frontliners will be getting inquiries and requests from either prospects, or existing clients that they serviced previously. So they may be seeing a pattern of somebody constantly saying, hey, do you guys have whatever? Do you have NIST CSF certification? No, we don’t have that one, but we’ve got this one. Well, if the question on NIST CSF is coming in at an alarming rate, you could be torching some things, you know. So find out what sales is seeing in terms of requests. Also, your cyber liability insurance, that’s another good place to go in and look and see what we’re obligated to do, because that will contain certain technical requirements for what the organization is supposed to be doing on a glint of things that need done there. Depending on the client, on the company’s industry, maybe there are certifications that may be missing. So an easy one, somebody that’s in the medical field, but they aren’t going up against HIPAA as an example, that type of thing. So just making sure that you’ve got that in play. Maybe you’re one of the tiered vendors for DOD, but you’re not currently going up against CMMC, but you’re doing NIST 171 type of thing. So just making sure you’ve asked the questions there, and done that analysis as well.
The final element for a recommendation is go to your legal department. There’s really two realms of conversation that I would put to them. As a newly minted compliance person, you don’t know every single possible applicable regulation that the company may be subject to. Has anybody ever gone to their legal department and said, hey, from your perspective, what all are we obligated to be compliant with? So go ask the question. If your legal person, because I’ve seen all sorts of variety here, sometimes the legal representative is like, whatever, the owner’s cousin and started doing this, whatever, 18 years ago. But the owner’s cousin that started 18 years ago doesn’t have a clue of what’s going on in the cyber arena. So again, seeing and assessing where we’re at from a legal representation perspective, and guidance perspective. We ought to have somebody in that legal department that can go ahead and get us some good input on what should we be doing. The other piece where legal really comes into play, it may be legal, it might be other departments. But certainly, if your legal representation has, oh, I don’t know, never seen any of your agreements, your contractual agreements with clients, that’d probably be a good idea. But somebody inside the organization, is the holder of the contracts with the clients. Whomever it is in that company, like some people have a contract person, somebody hands this stuff to accounting, some will ship it through their legal department, sometimes it’s some administrative assistant that organizes all of it. Whomever it may be that’s got those, having somebody in the company going through, and actually reviewing any of the existing contracts is a great idea, because you’ll find all sorts of nuggets in there. Who knows what somebody decided to sign off on 12 years, right? Well, 12 years ago, we just wanted to land this business, this big gigantic whale, and so of course the salesperson just decided they were going to go ahead and insert whatever provisions that the company wanted, because we just want to make the sale. Meanwhile, the company’s contractually obligated to this thing, and nobody’s ever seen the agreement, and nobody even knows that they’re supposed to be doing this stuff. Sales folks over here catching strays on this podcast. Well, I love the pot shots at the folks in the compliance space, equally as much as I do with the salespeople, so no fear. That said, but no, honestly though that arena, you would be surprised how many organizations don’t bother. But when they do, oh, they’re shocked at some of the crap that people signed off on eons ago, when they didn’t have nearly the structure or oversight that we have today, when we’re using these standardized templates. So yeah, it’s a pretty entertaining arena to go get into.
Well, that actually leads to a great question, which is what steps should be taken with the vendors for the organization? Well, with any luck, somebody actually has a list of who they deem the key vendors, right? For security and compliance. If that exists already, cool, good starting point. But what I would strongly suggest is, what I’ll usually do when I’m going into an engagement, is trying to get together the vendor list. I’ll actually just say, F it. I’ll go to accounting and I’ll say, I want accounts payable to print a list of anybody that we’ve paid in the last year. You do something along those lines, you’re not gonna miss anybody, you’ll have a list of people that’ll be on that list, that you can cross-check against the existing. But, there will be a ton of stuff in this list that will be, no, I don’t care about fill in the blank vendor, right? Because, they’re irrelevant to the security and compliance arena. That said, I will guarantee you that there will be ones that you’ll pop across that you’d be like, why aren’t they on this list? What exactly is it that they’re doing for us? So it’s a real moment of discovery, going down through that list, and curating it. Once you’ve got a good process for vendor onboarding in place, with your newfound shiny compliance badge, then great, now you don’t need to worry about going back to the accounting arena, but that’s certainly a good upfront check. Once you’ve gotten your list of anybody that was already on the list, obviously for anybody else that’s quote, new, that you need to add to the specter of the security and compliance arena, go back and look at any of the vendors that made the list already. Go back and look at what vetting was done on these vendors.
The reality is, more times than not, I’ll give you a real world example. This actually popped up within the last three months or so. Somebody at the leadership level of a client organization, had gotten an introduction to somebody that they thought was awesome. They thought, oh, these guys really have their act together, and went off and did their own thing. They had conversations with this particular vendor. They basically, put them in play for a proof of concept. And next thing you know, this vendor’s getting charged with, I want you to do this, and I want you to do that, and blah, blah, blah. Next thing, the train has straight left the station, right? It’s flying down the tracks, and we’re in the process of watching this vendor starting to basically come on as like a core vendor for the security and compliance arena. And yet nobody had done any of the appropriate vetting for said vendor. And while you go ask the dumb question, right? So what do diligence did you do? And then they come back, well, we spoke with them, and they have these certification letters on the signature lines of their emails, and they really seem to know what they’re doing. And, we double checked their financials. Okay, that’s all fantastic. But, are these guys going to have access to sensitive data on their systems? Are they compliant with anything? Have they validated or vetted this through any third party? Other than their word, and the initials at the bottom of their email. And you end up discovering shortcomings, if you will, by folks that’ll bypass. So it’s just an example of how this stuff will pop up. But I’ve seen people that have hired their cousin, who knows how to do DVR systems. And so they got hired back in the day. So review the vetting that they’ve been through, certainly across the board, whether they’re existing vendors, or if they’re new additions to the list, that didn’t really have any real focus previously. Well, you may have some upfront initial vendor vetting, even though they’re existing vendors. But, there may be some initial questions that you need to go in and ask, but across the board. Once you’ve got your list of vendors, then you need to make sure, are all of these companies up to date on their annual certifications? Whether it’s PCI or SOC or ISO, or something else, whatever, what is appropriate or pertinent for their role? Have they been keeping up with their third-party certifications? That’s an element that a lot of folks will miss through that process. Sure, that makes sense.
Now here’s a tricky one for you. What about getting a feel for the operational compliance landscape of a company? Well, the reality is, is that there’s a myriad of things that this new compliance person is going to want to do, want to know as they’re walking in. Being able to hit the ground running, so they can be operational in the compliance arena. So some of this seems like dumb questions, but hey, guess what? What internal resources do you have that are doing stuff for your compliance initiatives? What are their relative capabilities? Are they good at what they do? Do they need some improvement? Do they lack training? Looking at the vendors with a similar eye. What are those vendors capabilities? What are they doing? What do they know? Are they doing it well? Better yet, as the vendor, do they have a boat ton of ideas about how to make things monumentally better, but nobody was listening. So, they’ll be all over the board, but have those conversations. What types of documentation and instructions can you physically put your hands on, and what’s all missing? For most organizations, I think I can say this fairly ubiquitously, but documentation, training, and instructions are usually the last thing that people are doing. Everybody gets buried and busy. Mary did it last year, so, Mary knows what to do this year. Well, that’s great until Mary gets hit by the bus, and then you’ve got nothing. Do you have a rock solid repository, of all the files that were used from your private, previous compliance cycle? Are those organized? Can you tell what was used for what? Is there document versioning in place, that type of thing? Asking the question across the board to the folks that you’re talking through. Hey, the last time that we did compliance, was it as big of a of a crap show? So trying to look at it from the perspective of getting the context, those are all important questions to ask as well. Understood.
Now, what thought should be put into the compliance management side itself? Well, for the new compliance person, you definitely want to look at implementing a system, a rigorous system that will replace spreadsheets, network drops, file locations, and stop compliance evidence from being spread all over hell’s half acre, through meeting notes, emails, and text messages. I mean, it’s so easy to drown in this arena, with just a garbage bag of compliance crap. So don’t get sucked into that vortex of, I like to call it, the compliance person becoming the human glue that holds everything together. Because if you get yourself into that position of basically being the center of the entire freaking compliance universe, you’re not getting back out again. It’s damn difficult to get out of that mode.
So what I would suggest is, look for the organization, look at investing in a cost effective tool for your own company. What I mean by that is, we’ve covered in a couple of different ways, the importance of an organization that’s going through compliance, having their own repository, their own compliance management system, that isn’t the property of their security compliance consultant, or property of their assessor. Because things happen, maybe you switch assessor, maybe you switch consultants. Hey, at least you’ve still got your tool that’s yours. There’s several dividends that you owning the tool will pay. You get to know things like, who did what? When did they do it? What specific evidence was used last year? You have evidence that’s at your fingertips. You ask anybody that’s gone in to pick up the pieces of somebody else’s compliance program. It’s basically varying degrees of disaster that you’re walking into. So managing compliance manually really sucks, but using an automated compliance management system makes it suck a lot less. That’s fair enough.
Now, parting thoughts and shots, we’ve come to that time of the episode. What else do the people need to know? Well, apparently the people need to know that my landscaping crew is hard at work outside, if you can hear the lawnmowers going by. But no, parting thoughts and shots. Well, you go ask somebody that’s an experienced compliance person, ask them to go look back at their early days of their existing position. It’s almost like you can watch their eyes dreamily looking back at the time when things were simpler. They look on it with nostalgia, when they actually had time to breathe, when they had the opportunity to make what they deal with now suck a lot less, because they actually had the opportunity and the time back in the day. I would tell the new compliance person, look, that first month to three months do not, under any circumstances, evaporate that time. Use those early days, because they evaporate so quickly. Using those days, doing some of the things that we’ve talked through here, it gives them the opportunity to lay the groundwork for their future. It’s not saying you need to do nothing during the first, 30 to 90 days type of thing. No, I’m not saying that at all. You can start tweaking and making changes and things along those lines. The problem is, you don’t have the context yet to see nine months or 18 months into your future, to realize just how much it’s going to suck. Because here’s what happens, Todd. All of a sudden, the company goes and acquires another company. Oh, we, bought a new company, guess what? Now your compliance arena went from your existing suite of certifications, to now I’ve got to go onboard and entirely new company, with possibly totally different certs, with different vendors. So, maybe we go decide to layer on two or three new compliance standards in the interim, whatever crap show that you didn’t resolve in that first 30 to 90 days, dude, it’s just going to keep getting worse and worse and worse. And the problem is, is that new person is going to really struggle when they start getting to that nine month 18 month, fitz really hit the shan at this point in the game, they’re going to really struggle to get openings in their calendar that will allow them to go in and make the changes that are necessary. They’re basically going to be in the process of drowning while they’re trying to materialize time, as they’re trying to go back and do the things that they wish they’d done in that first, 30 to 90 days. Yeah, that makes a ton of sense.
And that’s the good stuff. Well that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
