Drive Down Risk by Leveraging Compliance

March 27, 2012

leverage_enews It’s a scary world out there. Hackers stalk your networks just waiting to access your data. Identity thieves are busily scheming how to take over your assets. Fraudsters look for ways to take advantage of your good graces for personal gain. Maybe you have total confidence in your information security efforts because your IT team is well-versed at protecting networks and data assets. But what about the business processes themselves, or the people responsible for the day-to-day operations of those processes?

Corporate security is an essential part of any organization, but all too often the role of security has remained overly focused in information technology. In essence, it’s been about creating a sturdier door with a more pickproof lock. But that’s changing. Today, security leaders are being called upon to not only manage protection and mitigate the consequences of risk, but also to proactively identify potential risks and to become better aligned with the organization’s values and ethics-based objectives.

Security policies are not at fault, nor do data protection protocols lack in scope. All things considered, security measures are more efficient than ever before. But the malfeasants have also become savvier in their efforts. A recent KPMG study, “Who is the Typical Fraudster?,” found that for more than one in ten fraud events, fraud was committed by individuals who colluded to circumvent otherwise good anti-fraud control measures – almost double the number reported just five years ago.

Corporate initiatives that are integrated enterprise-wide at the various touch-points along the compliance lifecycle serve to connect risk management activities with security’s role as the corporate guardian. Such an approach serves to strengthen an organization’s collective security posture and enables it to minimize the potential for fraudulent or unsafe activities, thus guarding against risk. This integrated approach to governance, risk and compliance (GRC) works in conjunction with existing data protection and security measures to align policies and standards of behavior (e.g., code of conduct) with the ability to monitor and track components such as training, policy violations, issue management and corrective action activities.

Traditionally, risk management has been more aligned with the finance and audit functions and separated from compliance activities. As a result, resources are often duplicated and compliance data is siloed according to the particular segment of the business. This creates an environment where risk is more difficult to detect and correct. Risk management that is more business-driven and values-based requires that the security and compliance functions seek common ground in a collaborative effort to both reduce and manage risk.

While the chief security officer (CSO) is responsible for digital security and the safety of employees, facilities and assets, the chief compliance officer (CCO) is responsible for implementing policies and procedures that are in sync with the organization’s values and risk tolerances. It is the CCO’s responsibility to ensure the company is compliant with all necessary laws and regulations and kept aware of any regulatory changes.

When changes do occur, the CSO and CCO must:

Adjust corporate policies and procedures accordingly and communicate those changes to every employee
See eye to eye and work to understand each other’s priorities and capabilities
Come to rely on one another to maintain a secure and compliant organizational structure

Teamwork in this department is entirely necessary for survival. Just as technology has led to improved security measures, Web-based technologies are evolving to drive business process improvements for compliance. These technologies automate the process of detecting security threats posed by people and the processes they use rather than by networks and data assets. When combined with traditional security tools, these new compliance technologies provide an additional layer of protection and greater actionability. By getting ahead of baseline, required compliance, CSOs and CCOs can create compliance processes uniquely tailored to their environment and help to secure business against opportunistic, creative thieves.

Security and compliance leaders face a common foe – risk – and everyone can agree that managing risk in an organization is essential for sustained growth. By giving credence to compliance initiatives, organizations provide their employees a better sense of confidence in the security tools being used and the rationale behind them. Leveraging an integrated GRC initiative better positions the enterprise to minimize fraudulent behavior and protect assets and reputations as they guard against risk.

Luis Ramos is the CEO of The Network, a leading provider of integrated governance, risk and compliance (GRC) solutions that help organizations mitigate risk, achieve compliance and ultimately, create better, more ethical workplaces. Luis has more than twenty years of experience in risk management and compliance, and his thought leadership has been featured in publications including National Underwriter Magazine, Risk Management Magazine, Loss Prevention and Ethikos.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

Drive Down Risk by Leveraging Compliance

Related Articles

Related Events

Report Abusive Comment