Perimeter
3/22/2012
01:56 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Technology Cannot Solve All Your People Problems

Too many in business assume compliance is primarily a technology issue

A few years ago, my team was implementing a custom software system for a client in the insurance industry. The software helped the client's staff manage claims, a complex process with many tasks that were extremely time-sensitive. As work was processed, it passed from department to department, which added to the challenge.

As the design evolved, the client kept asking us to add more and more reminders and prompts for the users. Features like these can be useful, but only to a point. As the list of reminders grew, we ultimately pointed out that if the software "bings and dings" all day long, staff will either eventually ignore all the reminders, or spend their whole day like thoughtless drones, waiting for the computer to prompt their next action.

As the discussion about the long list of reminders continued, one of my colleagues finally pointed out something we realized had been obvious to us, but not to the client. He politely said, "At some point, your employees have to do their job."

I've kept that situation in mind for many projects since then, including our own internal projects. This client couldn't fully automate its processes. People were required. But there was no way the technology could force employees to do their jobs. The employees needed software to be their tool, not their babysitter. If your staff needs a babysitter to make them do their work, then perhaps you need different employees (or different leadership).

The same lessons apply to compliance. IT can add many automatic systems, logging, and encryption. However, if people are involved with private information, then your organization’s technology alone will never make your systems fully compliant.

Compliance is not primarily a technology issue. No doubt, technology is important. But ignoring the people aspects of compliance is a sure way to get your business in trouble. Delegating all compliance responsibility to IT is poor and risky leadership. IT can lead much of the effort, but alone it can face difficulties training and enforcing the processes and procedures of other employees.

This "delegate compliance to IT" problem is exacerbated by some IT staff. Compliance can become a tool (or weapon) to build IT’s clout within an organization. By embracing the role of compliance czar, IT can be "in charge" of something instead of merely providing support services. "Ah, finally our importance has been realized."

I don't want to sound cynical. There are lots of people in IT and management who get compliance and operations right. They know the best compliance programs involve all aspects of the company -- customer service, operational expenses, and culture -- and the work (and responsibility) is not delegated to any single department or technology.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web