Data compliance and security are priorities for organisations. Good compliance avoids financial penalties and builds trust with customers. Information security has equally become crucial as organisations accumulate information and operate digitally, increasing their cyber risks.
There is opportunity to combine these two areas in ways that mitigate business and information risks and realise priorities. Numerous experts warn that growing data stockpiles, cyber security skill shortages and intensifying legislation can spread information security too thin, increasing costs without reducing risks such as cyber crime and data abuse.
Yet, when companies use data compliance and security to support their strategic priorities, they can overcome those barriers, says Sushila Williams, Cyber Security Consultant for Governance, Risk and Compliance at Liquid C2.
"Today's businesses have a wider digital footprint that is also increasing their exposure to threats. They benefit the most when they have a proper strategy around it, using a risk-based approach with data governance, management and security."
Turning compliance into a security enabler
The best results come from following the spirit of the law to establish robust, prioritised information security that matches business priorities. However, some organisations focus too much on compliance as the primary goal.
This approach is bound for problems. Clean audits are prioritised over reducing information-related risks. It hurts productivity when staff struggle to access information reliably, typically resulting in workarounds that weaken security measures. Many data owners and business stakeholders distance themselves from information security, leaving it to IT and legal teams. Business strategy and risk take a back seat.
Fortunately, most companies understand that they need to go beyond simply fulfilling compliance requirements. They appreciate the view that compliance and information security led by strategy and risk is a highly potent formula.
"Compliance will tell you what to do according to the law, but it's not sufficient for protecting everything in your context. It's about data compliance requirements and also incorporating business: understanding the business context, the alignment to business and taking a risk-based approach that addresses information security," says Williams.
Putting the business first
A business-first approach enacts the spirit of the law while delivering significant information security, management and productivity. Yet, while many organisations grasp this concept, realising it is much more difficult.
Companies know they want synergy between compliance, security and strategy, but they don't know how to create it.
Not all the right people and processes are involved, specifically those relying on the data. There is often also a lack of technical and domain expertise around compliance, security and risk – specifically on how to have them work together to support the appropriate business contexts.
Williams advises creating an integrated view of these different pieces instead of treating them as separate programmes.
"Start with the business objectives; what you need to deliver from day to day. Consider all your requirements before implementing any controls. Aim for cohesion and a balanced approach to information security, risk management and compliance, addressing the requirements as you go along in an integrated way, instead of something separate on the side. Put data handling, responsibility and ownership back into the frontline."
Getting things right with the right partner
Many organisations struggle to identify starting points. They don't understand their data landscape, its processes and risks to design a unifying picture across different teams, priorities and technologies.
The industry leaders don't stay at this impasse. They recognise their shortcomings and invite partners with combined compliance, business and information security expertise to help them establish a cohesive approach. These partners, such as Liquid C2, bring together different teams – like experts in compliance, risk and information security, along with methods for engaging, detailed frameworks and digital services – to create and deliver continuous results.
"It is absolutely about that balanced approach, and that's where GRC comes in. When you look at integrating data compliance and security into your key business processes, you identify your critical and sensitive information and identify the threats it's exposed to. That's what you want to be looking to manage and prioritise first. That's applicable for any organisation, irrespective of your size and the kind and the sector," says Williams.
On their own, security and compliance don't reduce data risks. In isolation, they often have the opposite effect. But when you combine these domains to support business priorities, they become incredibly effective and manageable.
Share