Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: Handling Turf Protectors on Compliance Engagements
Quick Take
On this week’s episode of Compliance Unfiltered, the CU guys give a full breakdown of what turf protection is and what it looks like in an engagement setting. Adam covers the typical signs of Turf Protection, which ones you see most often, and how to appropriately address those situation.
Have questions about how to handle these issues in the moment? Adam has you covered there too – with an in-depth look at how to defuse Turf Protection on engagements, and what do if you’ve tried everything, and you’re still stuck.
All on this week’s episode of Compliance Unfiltered.
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who’s here to butter your compliance bread, Adam Goslin. Adam, how the heck are you? Oh, I’m doing great, Todd. I’m just sitting over here having my daily decision-making process. Do I go Mai Tais’, or Molotov cocktails? Both serve their purpose, sir. Both serve their purpose, indeed. And you know what? Sometimes we, in the compliance world, end up having to deal with folks that get in the way of us serving our customers. And, that’s what we’re here to talk about today. We’re going to chat about some obstinate folks. People that get in the way of us doing our job properly. And those are folks that really, we could do without in the space. And so, today, we’re going to chat about dealing with turf protection on an compliance engagement.
So set the stage for me here, Adam. What do you mean when you refer to turf protection? Exactly. Well, when you go on to an engagement, in many cases, especially when it’s like a new relationship, you’re going to bump into somebody that’s feeling territorial about their job. When somebody’s protecting their turf, you’re getting various forms of resistance. It could range from, someone dragging their feet, questioning your expertise, outright refusal. So, sometimes the turf protection can be hard to spot. Maybe it looks like helpfulness, but doesn’t yield any actual help. But the job, as someone trying to help an organization navigate the world of compliance, regardless whether you’re internal audit, consultant, assessor, etc., it’s a lot less fun when you’re dealing with somebody that’s more interested in protecting turf, than being part of the solution.
Most certainly. Now, where do you typically see signs of turf protection in play? Well, for management level, you’ll see it as processes and responsibilities morph. There’s certain people that have kind of navigated their way through the organization, gotten to a certain point in terms of level of responsibility, and feel a good sense of ownership. So, especially if you’re trying to go in, implement good best practices, etc., there’s some modifications, tweaks, changes that need to be made. Okay, well I understand that Gene used to do this since the dawn of time, but we need to move this over to Mary because, we need to have checks and a balances etc. So, you’ll see it there. You’ll see it from various participants in the compliance engagement. You’ll see it from folks in HR having issues, legal, the sales arena, and more prevalently with the developers and IT crew, you’ll see it in that space as well. Consultants and contractors to the company, will often get territorial, as well as vendors. The existing vendors, yeah, existing vendors to the company all of a sudden, they’ve got a relative noob to deal with on the compliance engagement and, they’re getting their hairs turned up a bit, shall we say.
Yeah, that makes total sense. Now, which, of these are most prevalent with turf protection? Well, I can see we’re going to have problems with turf protection today. Most of the time, when you’re dealing with turf protection, generally speaking, I’ve seen it most prevalent in the IT department as a general statement, and vendors. Those are the two groups that tend to have the biggest issues, if you will. Well, it’s important to understand the why here. I’m a big why behind the what guy, obviously. So what are the causes of this type of territorial behavior? Yep, so the first element that plays into it, we’ll put it in a bucket of fear of being exposed, type of thing. What I mean by that is IT folk in general at an organization, they’re used to being, kind of the be all, end all experts of their domain, right? It’s a specialized skill that they have knowledge about. Whenever there is an IT problem, they go and walk over to the IT Oracle, and ask their question. And here’s the thing, it’s almost like, the notion internally is, oh, well, it has something to do with IT, so I’m just going to go to my guy, or my girl, that heads up the IT department and they’re going to be able to help me. And internally, it’s a little bit of a challenge, Right? Because, whether they did it knowingly or, it just happens to do with IT, they went to IT.
The leadership executives, ownership, whatever, they’ve got this misnomer of the people that they’ve got in their IT department. And that is, well, they know how to do day by day IT, and they know how to manage our computer systems, and they know how to manage our servers, and infrastructure, so, they must be security and compliance experts. And, the problem is, that’s a bad assumption on the part of the leaders of the organization. It’s something that eventually, they’ll kind of come back around to understand, where does that expertise lie? Now, it’s not to say that internal IT folks don’t know anything about security and compliance, because there’s some that do, but generally speaking, they’re really good at doing their job. But, in many cases, they’re not security and compliance experts. So, they’re kind of caught in a catch 22, right? Leadership is sitting there saying, well, they must know what they’re doing, and all of a sudden, now you’ve got this compliance engagement that comes into play that starts to, from the IT folks perspective reveal cracks in this, what otherwise used to be pristine vision of how things are, and where we’re at, and things along those lines. So, it’s, kind of a rub in there.
So, when you get some compliance person that starts poking around, asking questions, finding things that need improvement, etc., it makes people uncomfortable. In many cases, they don’t want it known that they’re not an expert in everything under the sun, because that’s the flag that they’ve been carrying since the dawn of frickin’ time. And, it’s not just IT, it’s kind of all over the place, you’ll get the same type of thing. The reason it ends up being more prevalent with IT is that, generally speaking on compliance and security engagements, you’re going to be interacting mostly with gearheads, but there’s things that happen in HR ,and in legal, and the sales team, need to be doing things differently, etc. So you’ll see blips over in those other departments. But, because the load isn’t as great on them, it doesn’t bubble up to the surface, if you will, as much.
The other piece that plays into it, is that fear of being replaced, right? Depending on the organization that you’re dealing with, you’ve got contractors, you’ve got vendors that are in the mix. Contractors and vendors is a really interesting arena, I’ve, especially seen it in the day by day IT folk, day by day IT vendors, type of thing. There’s a world that’s just fricking cutthroat, them especially. But, this is a generic statement across most of these vendors. They’re used to having some other company poking their nose in, getting their nose in the middle of everything, wanting to take over the world, stabbing them in the back, and just generally speaking, especially the vendors, they’re just on high alert, whenever somebody new enters into the mix, they’re almost trained or geared to be defensive, to set up these walls. And the problem becomes that, when you don’t have that level of trust with the vendor, then now that’s what you’re dealing with, and it’s really an impediment, if you will, to being able to just make forward movement on the engagement in general.
Yeah, it’s a challenge for sure. Now, what are some ways the listeners can, diffuse turf protection on engagement? Well, first and foremost, whenever I’m starting a new engagement, one of the first things that I’ll do is sit down and talk with the executives, and leaders of the company, and discuss that notion that I was talking about a little bit ago, how they just imparted all that is IT to their present IT oracle. I’ll sit down and I’ll let them know, look, I don’t know where you’re at in the grand scheme of things. I understand you feel great about where you’re at and everything, but I guarantee you, I’m gonna find out some things, I’m gonna discover some stuff that needs to be tweaked and adjusted. And I mean, I don’t know how good your people are. I don’t know how much improvements going to need to be made, but IT people are not security and compliance people. One of the things that I’ll try to impart in those leaders is, I’ll let them know, look, walk in with the notion that there’s gonna be things that need to be buttoned up, that need to be improved, etc. And, what I’ll try to reiterate to them is, look, don’t come down on the people on your team over, oh my gosh, this is where I thought we were, and now it looks like a complete crap show or whatever. Don’t do that to them. If the right approach is being taken, then, you do it in a positive way. Hey, this is great. We’re learning things about things that we can make improvements on, etc. What I’ve discovered for the most part is, the folks that are on the front lines, they’d love to do it appropriately, properly, right? Etc. And in some cases, they made it work with whatever they’d done previously, but didn’t really know, what was the right thing to go in and do.
So, the other side of those kind of upfront, tone setting discussions is, then also talking to the employees, the contractors, sit down and make it clear to them that, your job is to assist with this security and compliance engagement. You’re not looking to go take over their job. You don’t want to run their day-by-day IT. You don’t want to supplant them as a vendor, etc. Try to make it as clear as you can to those employees and contractors, what your approach is going to be, and that they don’t need to have their shields raised, etc.
On the vendor side, similar notion, just have some open and direct discussions with the vendors while you’re at it, and make sure you’re being transparent about what are we going to go do here, etc. One of the things that I’ll typically do on an engagement is I’ll literally come right out and tell them, look, I don’t have some bucket of favorite people that I go in and deal with, where we’re just going to come in, and supplant everything just because. I would far rather on an engagement, assess where are these folks at? What are their capabilities? What do they already have? What could they extend into, etc.? Because, you’re always better off to keep the continuity of the amount of knowledge that has been gained through the client and the vendor, or the client and the contractor working together. So I’ll always try to take an approach of trying to help the client leverage what they already have, and the investments they’ve made, over just outright swapping it out, you know what I mean?
That makes a ton of sense. That makes a ton of sense. So, the other thing that I’ll do is, I’ll kind of watch out for trouble points. In some cases, bonds between clients and vendors are so strong that a territorial vendor can honestly derail a security compliance engagement for a period of time. The vendor’s busy telling the client that they’re helping you, etc. But, they really aren’t and whatnot. Maybe, they’re just stalling their way through it, just because they don’t trust the security compliance person yet type of thing. So just keep your eyeballs out for those instances. Use of soft skills is a big one on these types of engagements. Empathy goes a long way when you’re encountering resistance. So, you gotta sit and try to figure out what are the specific reason these people are trying to protect their turf? Are they getting pressure from above? Maybe you didn’t articulate yourself clearly enough. Sometimes what I’ve experienced is, despite how much I would tell them on day one, I’d tell them what I’m about, and how I’m going to approach it, and things along those lines. A lot of times it goes in one ear and out the other, because they don’t trust you at all. And so, sometimes it makes sense to cycle back around and have that conversation, literally a second time, so that you can make sure that you’re really getting across to them. Are the other folks that you’re dealing with under supported by executives for what they’re doing? Is their job legitimately at risk for some reason? Maybe they feel like, oh gosh, I don’t have all these skills, and I’m just gonna get canned, whatever it may be. Figure out what’s driving it. I’ll typically try to sit down and see things from whoever’s perspective. Maybe it takes some open, honest, one-on-one conversations. On several engagements, certain people on the team, I’ve just either say, step aside in a sideline conversation or, maybe we go grab a beer and sit and chat. But you’ve got to be able to demonstrate the willingness to listen, empathize, work with them, and try to get everybody a win, if you will.
The next one is really developing a thick skin. The flip side of being empathetic, is gaining a thick skin. You can’t take it personally when you’re encountering territorialism. People are going to get worked up. Some people are just going to get pissed at whatever you’re going to go do. But, there’s a certain point that you’ve got to remember, your obligation is not to the client’s employees, or to the vendors. You need to go in and do what’s right for the client. Most definitely.
Now, listen, sometimes you just get stuck, right? Sometimes you have literally done everything you can, but honestly, what does one do when they’ve exhausted all possibilities for handling things in the proper way? Well, and sometimes you’ll hit that point at which you have to have an escalation. I’ll always give everybody a shot to get on board, several shots, try to approach it from a number of different ways, but you can’t control how somebody is gonna respond. So sometimes you hit a point where you need to escalate. Now, that said, as part of what I’ll do before I get to the final escalation, I really need to go to the main contacts. I’ll go to so-and-so’s boss. So maybe if vendor A, or Frank on the team is continuing to be obstinate about being part of the solution, I’ll go up to their manager, or maybe to that person’s manager, have dialogues and discussions about what I’m trying to accomplish. But at the end of the day, you’ve got to have your escalation plan in hand. You need to go to the top levels of leadership, when it’s appropriate and just lay it out there. Hey, here’s what I’m dealing with. I’ve tried this, I’ve tried that, I’ve talked to this person, that person. I’ve tried it from 15 directions, but here’s my suspicion of what’s going on here, but I need your help to be able to get through this.
The problem, when I start out an engagement, I’ll be absolutely open with them. I’ll say, look, here’s the deal. We’re gonna go ahead and head down these waters and plop, but, if we’ve got deliverables that aren’t being met, if I’m not getting the assistance that I need, I want it clearly known that I’m gonna go up a level, and I may need to hit the top of the food chain to get things to happen, because my job is to try to help this organization make it from here to here. And the flip side of that is, there’s a lot of folks in compliance, whether it’s, again, internal audit, consultant, assessor, there’s a lot of folks which are reticent to, escalate, you know what I mean? But the problem is when you don’t, well, guess what? The, the client, at some point in the game is going to come back and say, well, geez, if you knew all of these things were going on, why the hell didn’t you come and tell me about it, so that I could have helped, and we weren’t X weeks, months behind schedule, and now I’m just finding out about it. They’re honestly going to look at you, and look at you as if you are the problem, that you haven’t done your job. So, it’s a balance as you go through that process to be able to hit that mark, if you will.
That makes a ton of sense, actually. Any parting thoughts and shots for the folks out there this week? Yes, sir. The one thing to keep in mind, we talked through a bunch of whys as we were going through it, and people that are being territorial or protecting their turf. There isn’t some one-size-fits-all way that I’m always going to handle it, because there’s so many factors that are at play for every given scenario, so it’s not a single recipe. You’re often going to have to use bits, and parts, and pieces, and blah, and quite frankly, the approach depends on what it is you’re dealing with, what is the entity that you’re dealing with, etc., as you’re going through the process.
For those that are on internal audit, consultants, and assessors, if they’re in those roles, you’ll build those skills over time, but honestly, it takes years of encountering stuff, figuring it out, dealing with it. A lot of it is experience-based, and if you take the moments to reflect back on each engagement, what are the new things that I learned, how am I going to handle this differently next time, things along those lines, that will be seriously helpful as you’re going through your career. Because, it really is experience-based, with a skill build . I can’t tell you what an awesome feeling it is to have gone through the gauntlet of compliance for a client, and despite dealing with all the territorialism, and you get them to the point where you’re doing the compliance party, it’s an awesome feeling, being able to being able to get to that point, and that’s a point where really, it’s a good time to talk about as a security compliance person. Going back and reflecting on the engagement yourself, but similarly, that’s a good point to reflect on progress with the team. Say, hey, look where we were, and where we’ve gotten to, we’ve gotten over all of these various hurdles, and, somehow, Frank decided that he didn’t want to punch me in the face anymore. And, Mary isn’t pissed with me 24/7. Now, we’re all playing in the sandbox, and we’re not whipping sand in each other’s eyes. This is a great thing. It’s, it’s funny, when you get to that point where you’re done, right? It’s pretty astounding, looking back on that and being able to see, where the where the team has gotten to.
And in a sense, I mean, they play a part in that, and you’ve got to kind of do that reflection with them. It’s a fun exercise to have everybody kind of think it through, as you’re doing that reflection. That also gives you an opportunity to, take the client, shift their sites for transforming. Even if they’ve been doing compliance for years, this is your first trip to the rodeo with this particular client. So, go ahead and, be proud of it. But , in the same sense, shift your focus over to moving that client into operational mode so that their compliance engagements banging on all cylinders. as you as you start to head toward your next annual cycle.
Now thar right there. That is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
