The fourth option is to use internal company resources to ensure not only that you know about rules that will impact or are impacting your organization specifically, but also that you are involved in the planning and implementation of compliance strategies. To accomplish this level of awareness, you must be part of a corporate team that examines and approaches risk as one unit, with overall business goals in mind. If your company has no such team in place, even your own personal awareness will not be able to save you from the potential consequences.
The Impact of a Non-Unified Approach
Often, corporations consider laws and regulations to be primarily the concern of only one business function. For instance, the Health Insurance Portability and Accountability Act (HIPAA) is often considered only an HR or IT law; Sarbanes-Oxley (SOX) a financial law; and the Foreign Corrupt Practices Act (FCPA) a sales or supply chain law. But each of these laws has an important security component. In such cases, security is often the last notified or the last brought into the planning and compliance process — if it is brought in at all. When the security department is not deeply involved in or consulted about a company's implementation of these laws, the impact can be significant.
The most likely problem to come out in this situation is a collective impression that someone else is taking care of the security concerns, when in fact, no one is. Then, when the company is one day caught in breach of the security portion of the rule, everyone turns around and points the finger of blame at the security department, even though security was never included in compliance planning.
The same results can come about if the overall compliance effort is inclusive but disorganized, or if the planning process engenders turf wars among the heads of different departments. And don't forget, the security department is not always the victim here. When legislation is security-specific, it is just as important for security to include other impacted players in the planning process, or the result will essentially be the same: organizational failure to consider all the aspects of compliance.
If you think this is not a problem in your organization and that such disorganization and lack of unity cannot be widespread, consider this. At the SecureWorld Expo events being held across the country, the Security Executive Council has been teaming with ST&D to hold focus groups on regulatory compliance and Unified Risk Oversight. At all of these focus groups, two questions are asked: 1. What is the number-one regulation of concern for your corporation; and 2. What is the number-one regulation of concern for your security department? Invariably, the biggest concern at the corporate level is SOX, and the biggest concern at the security level is whatever the top industry guideline is — CIP for electric utilities, PCI or GLB for financial institutions, or HIPAA for healthcare or insurance, for example.
At the corporate level, SOX is burning up everyone's energy and attention, and this seems to be leading to a lack of focus on other concerns. In the same way, security departments are so focused on industry regulations that the corporation's main business concern is not of top interest to them. This appears to speak to a widespread lack of unity.
Unified Risk Oversight
The only way to effectively comply with the mountain of legislation, regulation and voluntary guidelines — let alone to ensure cost-effectiveness in compliance — is to approach it in the context of Unified Risk Oversight.
Unified Risk Oversight is a method of approaching risk whereby the corporate risk is identified by a team of executives or managers who represent the company's various business units, then managed with the best interests of the business and its goals in mind. By “corporate risk,” we mean not just the compiled risks of individual business units, but the new risk picture created when different departments' risk considerations are brought together and compared, combined and prioritized.
A quick note here on terminology: Unified Risk Oversight does sound similar to another popular term, enterprise risk management. However, there is one crucial difference: oversight. While ERM identifies all risks that may impact the corporation at the board level, Unified Risk Oversight is about who or what entity is watching over it all. It calls for one centralized overseer, a component not necessarily an integral part of enterprise risk management.