We all know that compliance can be complicated. The requirements, the controls, the audits, the effort: there are so many components to consider and manage. Often one of the first items on a company’s their wish list is a request to make their compliance simpler.
So why then do so many organizations make compliance more expensive and complicated than it needs to be – all on their own?
Let me explain. Often, in their eagerness to make sure the most knowledgeable staff members are handling compliance, organizations will assign different departments to oversee different aspects. The IT department handles PCI DSS compliance, while HR oversees HIPAA. Sarbanes-Oxley Act (SOX) or other financial regulations are managed by the finance or accounting departments. This sounds like a logical arrangement to the organization, as these departments have team members with the expertise and daily responsibilities to implement the right processes.
The problem? These compliance silos don’t talk to each other. While regulations like HIPAA and PCI do have many differences, they also share considerable commonalities. Remember, compliance is about security – and the same security practices that protect cardholder data can often protect patient data. But because these departments aren’t discussing their compliance efforts with each other or comparing notes, the organization misses opportunities to streamline their processes and their expenses. Instead they replicate programs, buy duplicate tools and spend untold hours covering territory and collecting data that’s already been covered by someone else.
Here’s how this plays out. Accounting, IT and HR are handling compliance for SOX, PCI and HIPAA, respectively. IT and HR both discover a need for file monitoring. Naturally they both submit a request for tools, and the company spends double what they need to. This dynamic then goes to the next level, when the organization decides to drive their security program based on compliance, and incurs more duplicate processes, tools and software, along with unnecessary spending.
If you think this sounds like an enormous waste of time and budget, you’re right. The solution: organizations must step back and look at compliance across the board. By taking a holistic view of its entire security program, the organization can ensure its security and risk management controls address all specific requirements of all relevant institutions. Not only does this help you eliminate duplicate controls and efforts, you can combine internal audits to reuse evidence for your compliance audits.
As an example, our company, Armor, does this by aligning our compliance audits so that we can use a single audit cycle to accomplish multiple compliance reporting requirements. We’ve found there is an extensive overlap between PCI and HIPAA alone; roughly 80 percent of our compliance controls and processes apply to both regulations. By aligning our audits, we can leverage one auditor to write two different reports; saving us time and money and also reducing the impact on our operational departments.
Has any of this sounded like something that happens in your organization? If so, you may be making compliance more complicated than it needs to be. Get started today and look at how you can move away from silos and into an integrated approach to compliance. After all, building a strong security program and meeting compliance requirements is arduous enough. Any way you can trim costs and simplify your processes is always a good thing.