Corporate Risk Reduction: How to Create a Culture of Compliance06 September, 2017
In the last several years, reports of security breaches across an array of industries have become commonplace in the media. These organizations are losing more than just confidential customer or patient records, they’re also losing business and paying hundreds of thousands of dollars, sometimes millions, in record loss remediation, highlighting the need to not just have a corporate strategy in place to reduce risk, but to also focus on creating a culture of compliance across the entire organization.
On September 14th, ShareVault hosted a webinar focused on corporate risk reduction and how creating a culture of compliance within an organization is imperative to reducing risk and avoiding security breaches.
The webinar was presented by Scott Maurice and Bryce Lopez of Avail Partners, a consulting firm focused on providing expert industry knowledge, market intelligence and an understanding of technological possibilities designed to provide solutions and business insights to their clients.
In advance of the webinar, we sat down with Scott Maurice to get a taste of what will be offered during the webinar and to discuss some of the challenges that organizations face as they attempt to reduce the risk of security breaches.
ShareVault: It’s been said that corporate security isn’t just IT’s job; it’s everyone’s job.
Scott Maurice: That’s absolutely true. That’s why it’s so important to focus on creating a culture of compliance within and across an organization. You can have all the security in the world, but if employees don’t follow the security policies, or choose to do workarounds, then that security armor may as well be made of wet paper. Corporate security and risk reduction is less about IT experts, technology and specialized tools as it is about focusing on real people in real work scenarios managing their workflows so they can be effective in their jobs and providing them the practical tools and training they need to adhere to compliance standards. That’s how you begin to build a culture of compliance, by giving real, every day people the tools they need in order to participate in that culture.
SV: Why do companies so often fail to create that culture?
SM: Because they make it too hard. You don’t get people to follow compliance policies by making it convoluted or by making it more difficult for people to do their jobs. Anything that makes a person’s job more difficult will inevitably get met with resistance, reluctance and resentment.
Organizations have multiple repositories of data. They have financial data, internal HR data, external customer data, sales data, they may have medical data. IT has to apply data lifecycle management, data classification schema, data lifespan management and retention policies to each one of those domains and communicate those policies across the organization. Unfortunately, what most organizations do, and this is why they fail, is that they focus on that work, but then when they roll it out they basically flog the user community with it. They let every subsequent change become a change in the process for the users at the end. So, if you’re a person who deals with sales data, financial data, HR data and external customer data and if IT has gone through each of those domains individually and revised their policies, then your workflow has been changed four separate times, maybe more. Maybe you’re allowed to use email for one thing, but not for another. Perhaps faxing is forbidden in certain situations. You’re flogging your user community. That does the one thing you’re trying not to do which is frustrating users and making their jobs harder. The result is that they resist and resort to yesterday’s way of doing things, so you haven’t effectively changed culture. You change culture not by making it more difficult, which is what security usually does, you change culture by making it less difficult. If it’s easier to do then employees will have an affinity for it and they’ll do it all the time.
SV: How do you implement robust compliance policies and at the same time make a person’s job easier?
SM: You have to provide people with the tools that meet IT’s security requirements, but that are elegant and easy to use. One of the easiest policies to implement is using a secure, online repository, like ShareVault, for all document sharing purposes. It simplifies things so much. Instead of having different policies for different documents or forms of communication everything just goes into ShareVault. It’s organized, it’s secure and it’s easy to apply security policies and change permissions as needed. It’s a functional tool that makes it easy for people to do their jobs and not worry about whether they are meeting compliance requirements. And, because it’s easy, people will have an affinity for it and use it on a daily basis. That’s what’s going to create the culture and that’s what’s going to keep the organization and its data safe.
SV: What’s the process for implementing a compliance policy across an organization? How is it rolled out?
SM: One of the reasons I’m excited to present the upcoming webinar is because the practices we’re presenting can have such a large cultural impact. What we see all the time is people using “shadow IT” which is when users adopt technology on their own. Users adopt technology on their own when they’re trying to solve a problem and they need a solution that’s not provided to them. If they need to share information with people outside of the organization and they’re restricted by internal servers or email attachment size limits then they’re being prohibited from doing their job. IT is keeping the company secure, but they’re not helping that employee do their job. So what does that employee do? He uses Box or Dropbox or Google Drive to share that information. Why? Because it’s easy. It may not be secure, or comprehensive, or work across the organization, but it’s easy.
IT has a difficult job. They need to understand what the company’s data lifecycle is. They need to understand how data is created, copied, transferred, destroyed and modified. They need to define retention policies and classification schema. They need to determine what is public data, what is confidential data, what are trade secrets and what is copyrighted. As part of that exercise they need to understand how long the data survives. Not just the retention of the data, but the lifespan of the data. For instance, some date may only be pertinent for six months and then nobody will care about it. Other data may need to be preserved for the next seven years. They have to understand all those elements and then they have to apply all those factors to the different repositories of data, such as financial, medical, internal HR, external customer, sales data, etc.
That’s the framework for any checklist that an IT department is going to come up with as they roll out a compliance policy. But the end user doesn’t need to be inundated with this detail. Yes, there’s going to be a checklist. Yes, there’s going to be a procedure. Yes, policies and procedures will be evaluated. But don’t flog the user community with it. Roll the tool out first. Just like swiping a credit card and getting Box. Make it that easy. Everybody’s got it now. What’s in it? It doesn’t matter. You just use it for everything. What’s the classification? What’s the lifecycle? It doesn’t matter yet. Just enforce the use of the tool first. Make it elegant. Make it easy. Make it something they want to use and that makes their job easier. Once it’s out in the user community, then you can make all kinds of changes behind the scenes and you’re not flogging the user community every time you do it. You can impose data lifecycle changes or data management changes or data lifespan or classification schemas or repository locations changes all behind the scenes and all within the platform that everyone’s using.
Once it’s out there, demonstrate to users how much easier it is for them to do their jobs and how much more productive they can be. Help users solve their problems. Show them that the sales data that was always problematic to find is now right at their fingertips. Instead of flogging your users you end up making them happier, and that’s how you create a culture of compliance.
To learn more about reducing corporate risk and creating a culture of compliance, watch a recording of the webinar by clicking below.