Core Advisory
Risk Transformation
Enterprise Security Architecture
Cyber Defense and Incident Response
Emerging Technologies & AI
By Brian Rizman
The only constant in compliance and security is change. What happens when your colleagues—whether they are senior executives at the top of the foodchain or knowledge workers below—resist the change needed for compliance across various industries and geographies?
The tactics to encourage the necessary changes are different across different types of companies, but there are a few tactics that work across verticals. Every stakeholder needs to understand that a lack of compliance will hurt their areas directly, so it’s not solely a mandate for a mandate’s sake. This means that constant education and championing—I’m hesitant to say evangelizing, but if ever there was a need for evangelizing, it would be in compliance and security—needs to happen.
The insistence of proper compliance efforts must start with the CEO making such compliance a top-down mandated agenda item. That insistence must come with critical funding and not be merely words. Nothing gets executives’ attention focused as effectively as new dollars coming from the CEO.
One of the ongoing problems with maintaining compliance is that for far too many workers, compliance is an amorphous concept that is absolutely removed from their day-to-day business considerations. Companies need to consistently point out instances of other companies—ideally in their vertical—that are suffering concrete penalties because they didn’t spend enough time focusing on compliance issues.
It’s a time-honored technique. How does one get taxpayers to pay all of their taxes? By shouting and screaming every time a taxpayer is charged with non-payment and imprisoned. How does a company get employees to abide by their in-house rules? By letting it be widely known when someone gets fired for not complying. Repeated credible anecdotes about the pain related companies are suffering due to non-compliance is a fine way to get people to comply.
Through education and training, employees must internalize the compliance applicability to their own jobs and tasks. In short, compliance has to become real for them. This means incorporating compliance efforts into employee performance objectives. Compliance must be prominently referenced in the HR documents detailing what that employee must accomplish to earn their bonuses.
Another consideration is finding someone already in the organization who embraces compliance issues and who is well-respected among peers, someone who can act as a champion or cheerleader. This person might not need to really understand compliance issues, but they do need to be a recognized and respected change agent for the organization.
The operative word there is “respected.” This needs to be someone that other employees look up to as someone who understands the business. This change agent champion/cheerleader might have successfully implemented something, made impressive progress, delivered a project ahead of schedule and/or with better metrics than expected, etc.
The idea is that if you get that kind of an individual on board, that person’s support of the compliance effort will make is far easier to get others to cooperate. If this individual is in an official leadership role, that’s great—and quite helpful—but sometimes the best and most influential leaders are found deep within the ranks. It’s someone who has the respect of others in the workforce, which doesn’t by any means require an official management role.
It’s also critical to make sure that people and processes are firmly in place—properly funded and trained—before technology investments are explored. Technology won’t help much without people and the proper mindsets. This is a journey that isn’t going to happen overnight. Expectations must be set properly.