One of the first items on a company’s wish list is a request to make compliance easier. So, why do so many organizations make compliance more expensive and complicated than it needs to be — all on their own?
Often, in their eagerness to make sure the most knowledgeable staff members are handling compliance, organizations will assign different departments to oversee various aspects of the compliance project.
For example, the IT department may handle PCI DSS compliance, while HR oversees HIPAA. Sarbanes-Oxley Act (SOX) or other financial regulations may be managed by the finance or accounting departments. This sounds like a logical arrangement to the organization, as these departments have team members with the expertise and daily responsibilities to implement the right processes.
The problem? These compliance silos don’t efficiently communicate or coordinate with each other. While regulations like HIPAA and PCI do have many differences, they also share considerable commonalities.
Remember, compliance is about security — and the same security practices that protect cardholder data can often protect healthcare and patient data. But because these departments aren’t in sync, the organization misses opportunities to streamline processes and cut expenses.
Instead, they replicate programs, buy duplicate tools and spend untold hours covering territory and collecting data that’s already been covered by someone else within the organization.
Here’s how this plays out. Accounting, IT and HR handle compliance for SOX, PCI and HIPAA, respectively. IT and HR both discover a need for file monitoring.
Naturally, both submit a request for tools, and the company spends double what is required. This dynamic goes to the next level, when the organization decides to drive their security program based on compliance, and incurs more duplicate processes, tools and software, along with unnecessary spending.
If you think this sounds like an enormous waste of time and budget, you’re right.
The solution: organizations must step back and look at compliance across the board. By taking a holistic view of its entire security program, the organization can ensure its security and risk management controls address all specific requirements of all relevant institutions.
Not only does this help eliminate duplicate controls, spending and efforts, it combines internal audits to reuse evidence for your compliance audits.
As an example, Armor does this by aligning our compliance audits so that we can use a single audit cycle to accomplish multiple compliance reporting requirements.
We’ve found there is an extensive overlap between PCI and HIPAA alone; roughly 80% of our compliance controls and processes apply to both regulations. By aligning our audits, we can leverage one auditor to write two different reports; saving us time and money and also reducing the impact on our operational departments.
Has any of this sounded like something that happens in your organization? If so, you may be making compliance more complicated than needed. Get started today and look at how you can move away from silos and into an integrated and efficient compliance approach.
After all, building a strong security program and meeting compliance requirements is arduous enough. Any improvements you can make to trim costs and simplify your processes is always a good thing.
Kurt Hagerman serves as Chief Information Security Officer for Armor.
