Seven Mistakes That Make Compliance Efforts Fail

Complying with security mandates is rarely easy. But most organizations make it even harder than necessary by failing to learn from the mistakes of others when developing their compliance programs.

For as much time and effort is spent at most enterprise and government organizations in complying with regulatory and standards body mandates, an awful lot of security firms can't seem to get compliance right. A study earlier this year showed that half of organizations have failed an audit, and 75 percent were not sure they'd pass their audits in the future.

According to most security and compliance experts, so many organizations fail because they're making the same mistakes time and time again. The following are some of the most frequent blunders made:

1. Managers Don't Think Like Auditors
Over the years, IT auditing veteran Glenn Gibson has seen far too many mid- to upper-level IT executives botch compliance efforts because they don't truly understand the regulations or standards they're availing themselves to. He believes that many organizations can't satisfy auditors' demands because they don't have managers in place that can see their objectives with an auditor's eye.

He says that some of the most successful organizations in both compliance and security have policies that promote auditors from within.

"I've seen some companies where when you're hired as an auditor, you're only going to be one for two or three years and after that you're going to be moved into management," says Gibson, principal of security firm Zander Edward. "I think that is a very good way to do business if you're going to compensate those people well enough to stay, so they don't take that management and audit skill set and leave."

2. Resources Don't Match The Requirements
In government, the dreaded "unfunded mandate" is one of the biggest reasons why agencies can't comply with rules both in and out of IT. The fact is that compliance efforts take manpower and technology to work. And both require resources.

"The money has to be there," says Gibson.

It isn't just a question of budgeting, but also of allocating the right staff to the efforts.

"Companies assign security duties to those least likely to fulfill them well: junior employees without security training or experience," says Bill Horne, owner of security consulting firm William Warren Consulting, "Usually it is part of the 'when you have time' lists given to apprentice system administrators who are most likely to bypass security restrictions when a senior employee asks them for a favor."

3. Organizations Ignore Human Nature
"There's a huge human nature element to compliance mandates," says Jeff Nigriny, CEO of CertiPath, an identity and credential certification organization specializing in government compliance. He believes that many organizations fail to comply when users aren't accounted for. End users must be properly trained, and they need to be apprised of the consequences of not following compliance policies.

The stick used to enforce compliance from end users doesn't necessarily always have to be as extreme as termination, either. Sometimes a humorous dose of embarrassment can work, too. When Nigriny was the CSO at an aerospace defense contractor, he had a bit of instructive fun with users who didn't follow company policy to lock unattended PCs. When he walked company halls and saw unlocked computers, he'd sit down and write emails on the user's behalf.

"I tried to make them funny. We had a manager that had a large team, and I told his entire team that he wasn't able to use all his vacation time for the year and the first people that got to HR to ask for it could use his remaining vacation time as paid time off," he says. "There was a huge line at HR and he figured out what happened shortly thereafter."

NEXT: Four more blunders.