Sean Thompson, President & Chief Executive Officer, NAVEX.
Every leader who’s paying attention knows that risk and compliance management is business critical. Not just to stay on the right side of regulations, that’s a given. But also to make your organization more resilient and your workplace culture stronger. That said, risk doesn’t respect functional boundaries. So, a big part of getting this right is recognizing when different parts of the organization have overlapping responsibilities for identifying and mitigating risk. The next step, of course, is ensuring they work in harmony rather than in isolation. In my experience, two such functions are compliance and IT security. Let me explain.
CCOs and CISOs share common ground when it comes to risk causes and vectors. I believe each would say their greatest exposures are employees, third parties and weak or insufficient processes.
People are always at the root of compliance failures and IT security breaches, whether they are employees or third parties who interact with the company’s systems. Both CCOs and CISOs need to understand these two risk “actors” and make sure they are monitored and trained to eliminate as much exposure as possible.
A recent object lesson about the cost of employee mistakes is the MGM Grand ransomware attack. For anyone who missed it, the hackers reportedly found an employee’s information on LinkedIn and impersonated them in a call to the IT help desk, where they obtained credentials to access and infect the company’s network. Better training and stronger caller identification processes at the IT help desk might have prevented what is predicted to have cost the company more than $80 million. Both compliance and IT security have an interest—and a role—in preventing this from happening again.
Regarding third parties, both the CCO and CISO care a lot about vetting, educating and monitoring them. But this is often done in silos given the different aspects of the third party’s business that concerns each function. At a minimum, this siloed approach introduces considerable inefficiencies and, in the worst case, risk management gaps. For instance, if a prospective vendor is on a government sanctions list, wouldn’t the CISO want to know? And if the third party fails to meet IT security requirements, wouldn’t that be of interest to the CCO? A best practice approach would have each function sharing all the salient information so that both can take appropriate actions to work more efficiently and reduce organizational risk.
And then there is process. Compliance and IT security each have policies in place to comply with regulations, security frameworks and the like. Each assigns ownership for following these processes throughout the organization. Increasingly, these processes are reduced to discrete data inputs and automated so they can be monitored, analyzed and reported in ways that help the organization run better.
When a data protection process is not followed, is it an IT security problem or a compliance failure? I suggest it’s both. This makes it only logical that both these functions should be using the same integrated platform to manage risk across the organization.
Finally, there is the reality of tunnel vision created by an environment of ever-increasing workloads. Vision tends to narrow when intensity increases. This gets magnified when people work in silos with little or no bigger-picture visibility. Unifying the processes and reporting capability of critical functions like compliance and IT security through a software platform approach can improve both functions’ visibility to one another. Cooperation, efficiency, increased effectiveness and risk reduction will follow.
In addition, collaboration between CCOs and CISOs can extend to training that complements mutual objectives as well as corporate communications that can help ensure the message employees receive is consistent and meaningful for both functions. New allies trust your partner and bring them in as their expertise adds value. For example, when a risk assessment calls for cyber expertise or a security vendor has questions about the code of conduct.
When risk-signal data is captured, analyzed and reported in this unified way—where the CCO and CISO can easily find the information they need to do their jobs in a single system with common dashboards—everyone wins.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?