Perimeter

3/22/2012
01:56 PM
50%
50%

Technology Cannot Solve All Your People Problems

Too many in business assume compliance is primarily a technology issue

A few years ago, my team was implementing a custom software system for a client in the insurance industry. The software helped the client's staff manage claims, a complex process with many tasks that were extremely time-sensitive. As work was processed, it passed from department to department, which added to the challenge.

As the design evolved, the client kept asking us to add more and more reminders and prompts for the users. Features like these can be useful, but only to a point. As the list of reminders grew, we ultimately pointed out that if the software "bings and dings" all day long, staff will either eventually ignore all the reminders, or spend their whole day like thoughtless drones, waiting for the computer to prompt their next action.

As the discussion about the long list of reminders continued, one of my colleagues finally pointed out something we realized had been obvious to us, but not to the client. He politely said, "At some point, your employees have to do their job."

I've kept that situation in mind for many projects since then, including our own internal projects. This client couldn't fully automate its processes. People were required. But there was no way the technology could force employees to do their jobs. The employees needed software to be their tool, not their babysitter. If your staff needs a babysitter to make them do their work, then perhaps you need different employees (or different leadership).

The same lessons apply to compliance. IT can add many automatic systems, logging, and encryption. However, if people are involved with private information, then your organization’s technology alone will never make your systems fully compliant.

Compliance is not primarily a technology issue. No doubt, technology is important. But ignoring the people aspects of compliance is a sure way to get your business in trouble. Delegating all compliance responsibility to IT is poor and risky leadership. IT can lead much of the effort, but alone it can face difficulties training and enforcing the processes and procedures of other employees.

This "delegate compliance to IT" problem is exacerbated by some IT staff. Compliance can become a tool (or weapon) to build IT’s clout within an organization. By embracing the role of compliance czar, IT can be "in charge" of something instead of merely providing support services. "Ah, finally our importance has been realized."

I don't want to sound cynical. There are lots of people in IT and management who get compliance and operations right. They know the best compliance programs involve all aspects of the company -- customer service, operational expenses, and culture -- and the work (and responsibility) is not delegated to any single department or technology.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.