IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Compliance Week 2009: Ineffective Controls due to Consolidation of Regulators

June 4th, 2009 · No Comments

This week is Compliance Week and for most that implies vendor pitches and F.U.D., but there has been specific tidbits flow from the conference that indicate otherwise.  If you are not in attendance the consistent flow on Twitter (your window into conversations of interest) and upon blogs should give you a reasonable re-cap.  I strongly recommend if any sessions are of interest reaching out to the speakers directly and striking a conversation – the speaker’s list is here.
Michael Rasmussen has posted a nice update on his blog.  He raises a point that is of particular interest to business executive and practitioners that I wanted to expand upon.  The concept of regulation, merging of regulating agencies, and the net effect on effectiveness and efficiencies.  There are plenty of arguments against regulation and for it, but that is not the point here – what is intriguing is what happens to the businesses themselves in these ebb and flow moments in our history?  I go into great detail on this fact in my book, but want to point out specific areas of focus.
The concept of “consolidating” regulators and legislation to create a super structure to protect the citizens has the net effect of watering down guidance and regulation.  This is a common complaint for individuals adopting (fully) ITIL v3 or COBIT.  These are too broad to properly fit any one organization, and unlikely to address the risks any one organization faces adequately.
Given this observation, executives should consider:

  • Embrace public; international; open governance / security frameworks and cut from here your own program
  • Cost to compliance should DECLINE and not increase over time – unless your business is expanding at which point the cost curve should be correlated to that of the expansion costs
  • The achievement of compliance is not sufficient to thwart the risks to the business – security, privacy, operational integrity, and satisfaction of contractual agreements require a cultural and organic approach

Practitioners must take it upon themselves to educate and communicate when compliance F.U.D. and marketing take over a business’ risk management programs.  Only through communication will everyone know what risks exist; what risks are addressed; which risks are immaterial; and how they fit together to form the information security program and governance processes.

Other insights and perspectives on the affect of consolidating and “watering down” effective controls and safeguards to the point where they do not address the original intent?

Kind regards,

James DeLuccia IV

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment