We recently sat down with Steve Ryan, manager of Attest Services, to discuss his thoughts on why businesses struggle to meet compliance requirements. Here’s what he had to say:
Steve, why do you think it’s difficult for businesses to prioritize security and compliance today?
“It really boils down to two root causes: resources and culture. Especially in today’s times, leaders are struggling to find enough resources like time, people, and money, to keep their organizations running, let alone meet compliance requirements. Because of this, we see shortcuts being taken by people from top to bottom from all kinds of organizations in an effort to complete day-to-day tasks and move to the next “to-do” on what seems like a never-ending list.
For example, a person in a system administrator role may simply not have the time to wait for a colleague to approve an access request before implementing an account. As a result, they fall out of compliance with just about every framework in the industry.
This goes hand-in-hand with some of the major cultural problems modern organizations are facing. Many organizations are focused on getting the job done instead of prioritizing security. They see compliance as merely a checklist they have to follow—a pitfall that adds more time to their day or isn’t tied directly to their bottom line. To make a long story short, organizations simply don’t have the resources or the cultural mindset to achieve compliance while also remaining compliant.”
So how do we fix this?
“The answer is primarily focused on organizational culture. In many organizations, compliance is viewed as a checkbox exercise—i.e., “We have to do this because we are required to”—when leaders really should be saying, “We’re doing this to build trust, better serve our customers, and grow our organization.”
With this mindset shift, security becomes the foundation for growth within the organization, and almost inherently, the organization becomes mostly—if not fully—compliant with most frameworks out there.
This isn’t an easy feat for organizational leaders, however. The best way to begin is to start by having a conversation with your employees surrounding security and teaching them why security and compliance are so important. Steer away from those mundane training exercises that no one pays attention to and make sure your training is hands-on.
“Making security a piece of everyone’s daily responsibilities allows compliance to follow naturally.”
In addition, it’s perhaps even more important to develop and inform employees of practices for identifying a security or compliance issue and to ensure they understand the importance of reporting those issues without fear of repercussions—even if it’s their fault (it: they accidentally clicked a phishing link). In the long term, actions like these will not only reduce the number of resources required to become and stay compliant, they will allow people to focus more on what they were actually hired to do.”
Does your organization need assistance creating a culture rooted in a compliance mindset? We’re here to help! Contact us today to meet with a BARR associate.
About the Author
Manager, Attest Services
As Manager for BARR’s Attest Services, Steve Ryan is responsible for planning and executing information technology audits and risk assessments for clients in the healthcare industry. He is experienced in both HITRUST and HIPAA assessments.
Prior to joining BARR, Steve was a Senior Consultant in Wolf & Company’s IT Assurance practice. He holds a Bachelor of Science in information systems from Bentley University.