The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.
The IT compliance function serves as an important bridge between the audit and IT departments, in addition to articulating business-related IT and security initiatives to management, and recommending and implementing appropriate compliance frameworks.
Business model changes, legal considerations, government requirements and evolving industry regulations are among the common reasons that organizations may need to more frequently explore switching their frameworks than in the past. Villanueva, IT security and compliance analyst with Diamond Resorts, referenced the General Data Protection Regulation (GDPR), which became enforceable in May, as an example of a recent regulatory shift that could have significant compliance ramifications. Additionally, he cited industries such as banking, healthcare and gaming as having special requirements calling for the use of compliance frameworks.
While acknowledging that the need to explore new or additional frameworks can cause “compliance anxiety” and organizational resistance, considering the corresponding investments in time and resources, Villanueva said effective use of people, processes and technology can make the process worthwhile in the long-run. Given the increasing need to implement different frameworks to deal with a growing set of compliance complexities, Villanueva laid out five steps to be actively compliant across several frameworks while remaining in line with budget realities:
- Understanding beats memorizing. Compliance professionals who truly understand the intent of the framework are best positioned to adapt them to their organizations.
- Know your organization. Having a clear handle on the organization’s business model, mission and array of information and technology resources allows for more strategic compliance.
- Anticipate how today’s trends will influence what you do tomorrow. Variables such as the need to incorporate more mobile device security and use of emerging technologies such as artificial intelligence (AI) and machine learning may call for recalibrating compliance processes.
- Know that some fundamentals never change. Despite the volatile landscape, Villanueva said there still needs to be focus on established compliance priorities such as application controls and segregation of duties.
- Keep learning. Investing in personal development and prioritizing networking are some of the best ways to keep current and “future-proof” career paths.
Villanueva cited COBIT 5, NIST 800-53, ISO 27001:2013 and PCI-DSS 3.2 as examples of useful frameworks for compliance professionals, and said identifying commonalities among different frameworks can make for a more efficient approach. Villanueva recommended IT compliance frameworks because they:
- Simplify compliance;
- Reduce the likelihood of missing compliance requirements;
- Maximize everyone’s time;
- Allow for clearly understood expectations;
- Are commonly accepted by control stakeholders.
The importance of compliance professionals should not be overlooked. Aside from potential legal ramifications resulting from inadequate compliance, Villanueva said having strong compliance programs in place is critical to deter corruption and costly illegalities.
“We’re here to make sure that crime doesn’t pay,” Villanueva said.