Driving down the cost of compliance

By John Mc Loughlin for J2 Software
Johannesburg, 02 Dec 2010

Driving down the cost of compliance is not only the key to competitive advantage, but compliance also needs to be taken seriously and become part of a cost-effective executive risk management strategy. Compliance must be turned into competitive advantage whereby the opportunity cost of being compliant is vastly reduced. This is according to J2 Software managing director John Mc Loughlin.

Compliance roles should not be separated from the business; they should be seen as business enablers, integrating the compliance needs of audit and IT and must be communicated at board level. In order to turn governance, risk and compliance into competitive advantage, it must be perceived and experienced as a 'business enabler' as opposed to a function that leads to 'business prevention'.

If compliance is too time-consuming and complex, it will be ignored or shortcuts will be taken. Unseen risks cause damage and unfortunately, one cannot manage what one cannot see. This is a simple phrase to keep in mind when implementing the governance, risk and compliance strategy.

Incidents will inevitably occur regardless of effective security measures, but ongoing proactive automated enforcement, staff education and end-user buy-in will minimise the likelihood and impact of unforeseen risks.

Furthermore, compliance should not lengthen the 'time to value' continuum, which is a critical success factor for many bid teams. For this reason, bid teams often do not include compliance staff and in situations where a complex bid is being put together in a short timeframe, cutting corners is a very attractive option. It is here that the risk management equation comes into its own, where management is often found asking themselves whether the cost of non-compliance is worth the risk?

When legislation is amended several times during the process, compliance could very easily become a casualty. Legislation that changes regularly, leaving it open to interpretation and sometimes with a requirement to be implemented across continents, all leads to compliance being viewed as an undesirable overhead. It has been said that in current circumstances, every organisation - from SMEs to larger enterprises - require a compliance department which then gives one an abnormally high ratio of compliance staff to employees.

Another problem is that too often the chief security officer is seen to have a secondary function, and they must constantly fight for resources and justification of their proposed policy. This can compromise compliance, creating a patchy approach. This is especially true where legacy and bespoke applications are often not compliant, and fixes are attempted when there may not be the skills within an organisation to do this properly, and costs would be incurred to do it any other way.

However, there does seem to be a change in perception and urgency for compliance. Funds are slowly becoming available for certain types of compliance measurement, but unfortunately these new measures are seen to be in competition with other general security standards, ie, physical security, antifraud measures etc. These funds are usually accessed via the CIO, who must be convinced of the need for a comprehensive information security and compliance strategy.

When information security is embedded into an organisation's DNA, compliance not only involves observing the formal rules as laid out in the policy, but also includes observing the informal rules governing circumstances that may not be anticipated. Observing these informal rules will demonstrate that security is well and truly embedded in the organisation's DNA.

Once this process is initiated, a simple but effective test of how well security is embedded into the DNA can be illustrated by leaving a confidential document on the floor in a common area to see how it is handled by passing staff. Employees must be confident in handling situations where they may not have the familiar security parameters around them and the informal rules or corporate morals will kick in automatically.

As the complexity of data and ease of access keeps increasing, now more than ever, companies have a golden opportunity to push information security and compliance to the top of the agenda. They must urgently address the situation to protect their information assets and the privacy of their electronic identity.

For more information, contact J2 Software on 0861 00 J TWO (5896) or e-mail john@jtwo.co.za.

J2 Software

J2 Software is a leading South African information technology security company. While most organisations are now starting to realise the impact of data theft and abuse of IT resources by employees, J2 recognised the need to protect against this activity some time ago. J2 Software was born after the founders identified an opportunity in the Information Technology market in South Africa and the rest of Africa. They saw a growing need for Information Security Solutions which were comprehensive, simple to deploy, easy to use and good value for money. After tireless searching and investigation J2 Software was officially launched in 2006.

Shortly after inception the customer list of J2 Software started to grow rapidly; and this continues to be the case to this day. J2 Software has provided services and solutions to numerous renowned, forward thinking companies with sites running in South Africa, Angola, Botswana, Kenya, Malawi, Mauritius, Mozambique, Tanzania, Uganda and Zambia.

J2 Software provides solutions and services to various organisations that have a requirement to secure their sensitive information as well as implement, monitor and enforce internal security policies. In recent times organisations are placing a far higher priority on the security, accountability and control of their most prized asset, their information.

Adding to this is the ever growing pressure being placed on companies and their directors' to maintain the security and control of the sensitive data of their clients, as well as the necessity to conform to various local and international compliance regulations.

With the continued rise of identity theft and confidential data leakage the need for J2's product offering is not only and advantage, but an absolute necessity.

Editorial contacts