I lived in the IT world for 15 years before my first compliance and security extravaganza. It was an eye-opening experience, discovering how much I didn’t know. People think that if you’re in IT, you know everything there is to know about it — including security and compliance. Even your boss might assume you’re an expert in security / compliance. Which makes the idea of a compliance assessment…well, stressful, to say the least.
More often than not, I’ll see an us-versus-them mentality when an assessor comes in to do a compliance audit. There are various fears and concerns among the client’s teams — many of which are unfounded.
Is My Job at Stake?
For many people, there’s a fear that their job may be at stake during a security and compliance assessment. Suddenly there’s an outsider coming in to assess the work you’re doing. All kinds of questions pop up:
- Will I look bad in the report?
- How will my boss react?
- How will this affect my job?
- What if my boss realizes I’m not an expert in everything?
It’s easy to be uneasy when there’s this whole world that you’re first really getting your arms around. You may not have a clue what you should and shouldn’t be doing for compliance. But the boss assumes that since you’re in IT, you must know everything about compliance. It’s a tough position to be in.
On the flip side, you’ve got the assessor’s perspective. Assessors are truly just trying to help their clients get across the finish line. They don’t delight in making anyone at your organization look bad.
Compliance Auditors: Deliver the Value Your Clients Are Looking For
Yet, they’re getting paid to do a job: make sure the company meets a list of criteria. In making that assessment, they have no choice but to put a spotlight on gaps that need to get filled. To that end, use this experience as an opportunity for learning.
Your Compliance Assessor Is Your Ally
So out of the gate, the client-assessor relationship isn’t always warm and fuzzy. But after two or three years, things often change. By that time, it should be clear that the auditor’s job is to make your company more successful. The auditor is your partner in business, not a traffic cop. They aren’t there to issue citations, but to help you grow.
They’ve become someone you can rely on, learn from, and succeed with. Your compliance assessor is a partner you can be thankful for. They’ve got your back, and you’re performing at a whole other level.
People sometimes complain that security and compliance get in the way of productivity. It’s seen as a barrier to doing their jobs, and it’s nothing but a pain and a drain. But at some point a light clicks on, and they see that the fundamentals of a security and compliance program have real business value. The company is more stable and better equipped to handle activities from attackers.
I’ve seen some pretty dramatic changes of opinion — from starting by feeling wary and worried about an auditor, to becoming thankful for their partnership. Once a security and compliance program is off and running as a well-oiled machine, it can become a very good, warm relationship between all of the players.
Handpicked related content: Make Your Compliance Auditor Your Ally
What If Your Partnership Still Isn’t Warm and Fuzzy?
But what if you’re with an assessor for two or three years and you’re still not enjoying that kind of partnership?
There’s gigantic variability from one assessor to another in terms of their capabilities, the way they approach an engagement, and their personality. The combination of those three variables has a big affect on your experience with an auditor. Not every security and compliance assessor has the same capabilities, and every auditor has a different personality. Some people will simply be a better fit for your organization than others.
If you’ve been with the same assessor for a few years and you’re still feeling like you’re working with a traffic cop, maybe it’s time to look at another assessor within the firm, or possibly another assessment firm entirely. You won’t hire internal people that don’t fit your culture — why would you stick with compliance partners that aren’t a good fit? They work for you, not the other way around.
Your auditor relationship should come to feel very much like a partnership. If it doesn’t, go take a look at other firms. See if you can find one that fits your organization better.
Don’t work with people you aren’t thankful for. And while you’re at it, take time this week to express your thankfulness to the partners who help make your company stronger.
Get more thought leadership delivered to your inbox. Subscribe to the blog below!