Javid Khan, Chief Cloud Officer at Pulsant, looks at how businesses can keep up with compliance requirements.
Many companies faced with the worry, or recent experience of a cyberattack, rush to make big changes to their security measures. But a few months after the event they often lapse into a comfortable state where no one is keeping a keen eye on security procedures and compliance requirements on an ongoing basis. This leaves them open to risks and unprepared for future threats.
From a security perspective, companies need to adhere to best practice procedures such as ISO27001 and create non-compliance reports where there are security gaps. These will vary depending on the type of data generated and processed as well as the industry sector in which the business operates.
Compliance is not a choice; if organisations suffer a data breach and are not compliant under the Data Protection Act, they can be fined up to £500,000 and GDPR non-compliance fines can be up to €20 million or 4% of annual turnover fines (whichever is greater). Compliance can seem daunting but adopting a continuous approach is a positive strategy that allows businesses to become forward thinking. IT teams can be better prepared for future threats, rather than responding reactively to audit requests and security attacks.
A change has got to come
In today’s global climate, compliance is a challenge that nearly every business faces. But it should not be thought of as a simple tick in a box and considered complete the moment it has been achieved.
There needs to be a transformation in approach; whether that means better tools, more automation or working with a trusted partner to manage the entire process. The good news is that there is an acceptance that this is the case, with 83% of IT decision makers admitting there is room for improvement. This is according to recent research from Pulsant commissioned by Censuwide.
Compliance is winning
Achieving compliance and maintaining it may be viewed as two sides of the same coin, but both are actually very different. Moving beyond simply achieving compliance and making sure an organisation remains compliant is a challenge that’s discussed in boardrooms throughout the country.
Achieving compliance needs to become a badge of honour for organisations and viewed in the same way as winning even the most prestigious industry award. After all, being compliant demonstrates to customers, partners, investors and other stakeholders that the business is committed to implementing best practices. Conversely, non-compliance leads to severe fines and untold reputational damage that translates into loss of revenue.
The need for a 360-degree view
Today, the Big Data mountain is understood to have reached five zettabytes and the volume of data shows no sign of slowing, especially with the Internet of Things (IoT) becoming more ubiquitous than ever.
With the sheer amount of data being produced, it is becoming difficult to see the forest for the trees. This makes obtaining the information required to become and remain compliant a far from streamlined exercise and opens itself up to potential mistakes.
Due to constantly shifting regulations, businesses are now having to audit their IT compliance requirements on average four and a half times per year.
While businesses may feel they have the tools and skills to help them deal with compliance, there is often room for much improvement. Unfortunately, full-time compliance employees are costly and difficult to recruit and retain, due to the growing skills shortage in the UK. To plug this gap, businesses often need to look outside of their own four walls and turn to third-party partners to assist them in remaining compliant.
The tools they turn to also need to be fit for purpose. Given that compliance is such a complex and time-intensive task, automating some of the processes can make achieving compliance on a continuous basis easier to achieve. It can also reduce the potential for human error and not only make the entire process more accurate, but more efficient.
A change of mindset
It is not a race that is run once. Businesses need to change their mindset to one of attaining continuous compliance. Only then can a business capitalise on all the benefits that cloud and new technologies actually deliver.
Easing the strain
Organisations usually start their compliance journey by defining their security and compliance objectives and looking how best to meet them, now and in the future. But this can be hard to do when there is a complex hybrid IT environment encompassing public cloud, private cloud, SaaS and connected devices to name a few.
Essentially, continuous compliance involves an organisation-wide strategy and focus in order to be developed effectively. The good news is that there are lots of sophisticated monitoring tools that can proactively assess your environment as well as many automation tools which allow you the process of collecting and sharing data to industry bodies a lot simpler.
Yes, managing and maintaining IT compliance can be time-intensive and complex, but by using the correct tools to automate at least part of the process and leaning on third-party experts, the strain can be somewhat eased.