Perimeter

7/25/2012
02:14 PM
50%
50%

We've Got Regulatory Fatigue

Many organizations are worn out by ever-changing laws and regulations

Thinking back to my college days and the grind to get through finals each term, I recall how I would typically get to a point where I'd think, "It doesn't matter what grade I get -- I just want this to be over." Of course, I did care about my grades. But I also occasionally experienced a genuine mental and physical fatigue. In the end, I would suck it up and push through the exhaustion each term, rest during the break, and repeat.

By successfully repeating enough of these cycles, I was awarded my degree. As much as I enjoyed school, I was honestly ready to move onto work and leave school behind when I graduated. I had academic fatigue. It was time to start the next phase of my life, beginning a career and learning new things in new ways.

As I work with our clients and talk with business peers about their clients, it has become clear that most organizations suffer from a similar kind of fatigue: regulatory fatigue. The ever-changing and constantly growing list of laws and regulations that may apply to an organization is not only a financial tax on the business. If not handled well, then it can be an emotional burden, too.

Think about it. What happens when we become mentally fatigued? Many things, including loss of focus, struggles to set appropriate priorities, and even apathy of what is required of us sets in.

I've had clients with regulatory fatigue tell me flat out, "I know compliance is important, but at some point I can't spend any more time and money on compliance. I've got a business to run, and if the business fails, it won't matter whether we are compliant."

As a business owner, I get what they are saying, but I also think they miss a bigger point. What concerns me most when I hear this type of comment are the two common mistakes I believe this attitude reflects. The first is the mistaken belief that compliance tasks by definition are overwhelming -- a single massive project that takes over a business. The second mistake is when a leader mentally shuts down any consideration of practical options. With only two mistakes, a business leader can create an extremely dangerous situation for the organization.

I often say you should never argue with people who know they are right. It is pointless and wastes everyone's time. Fatigued business or technical leaders who have made these two classic mistakes about compliance don't want to hear any more about it. They're more than simply tired -- they are also tired of hearing about it. Getting the point across about both the importance and benefits of smart compliance can be difficult at best in these circumstances, and sometimes even impossible.

Despite the difficulty in breaking through this regulatory fatigue, it is important to stress that compliance does not have to beat down your operations to the point of mental or financial exhaustion. The key to avoiding regulatory fatigue is using a methodical, practical approach. Integrate compliance into your routine operations, rather than treating it as a heavy add-on. Focus on a culture of security and compliance, not an oppression of your team with rules and complex tasks. Use compliance efforts to improve your business in every area, not only one or two.

Despite my occasional intellectual fatigue years ago in school, I've embraced a personal philosophy of deliberately learning something every day. We can break through, or altogether avoid, fatigue and be better business people and better organizations when we do.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand the often hidden risks within. He is the author of the book Nerd-to-English, and you can find him on Twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jputman381
50%
50%
jputman381,
User Rank: Apprentice
7/31/2012 | 4:57:16 PM
re: We've Got Regulatory Fatigue
These "bullies" don't just sit around dreaming about "how can we make life miserable for business".- They are generally reacting (after much prodding by the aggrieved!) to horrible holes and atrocious abuses that have made (and have the potential to make) MANY more people's lives miserable.- If no one ever murdered (or planned to murder) anyone, then we wouldn't have "regulations" against murder.- To be sure, some regulations can seem heavy handed or could be ill informed and poorly executed / drafted ... but perhaps no more so than the behaviors, decisions, and events that lead to the regulations being contemplated in the first place.-

As for the "right to be left alone", would that not extend to everyone?- Or is it the only for the privileged few!?- So that for instance, information about consumers would have to be purged (so it could never be leaked or stolen) based on their "right to be left alone".-

But perhaps it is time to ban the EULA's that have so far shielded some products from the warranty obligations they should at least by now rightly assume (no one can any longer with a straight face honestly claim that software and data processing are too nascent as businesses to bear up under the warranty laws and liability exposure under which all other products exist!).- In which case, sure - let's quash those EULAs and simultaneously dispense with most regulations - letting the legal gunslingers battle it out in the courts (without artificial liability and class action restrictions).
byoder911
50%
50%
byoder911,
User Rank: Apprentice
7/27/2012 | 10:23:12 PM
re: We've Got Regulatory Fatigue
I agree that the avalanche of regulations is making people just give up on trying to comply with them all, and I agree that it is a big problem. -What I don't agree with is that our only choice is to ignore the laws and hope that nobody notices (and usually nobody will...if you imagine that it is mind-numbingly difficult to comply with this complex web of laws for one company, imagine what it would be like to try to know whether any of millions of businesses out there is complying with all of them, -it's an impossible task) or to obey meticulously. -

The only way they can get away with all of this abuse is with our cooperation to police ourselves. -Why exactly should we allow ourselves to be bullied by these idiots? -Why not fight them instead? -We can fight them by ignoring them to some degree, but we can fight them by political means too, by for example hiring lobbyists and conducting public educational campaigns about how damaging these things are, and we can fight them by denouncing them as what they are...violations of our right to be left alone when we aren't hurting anybody. -If we don't stand up for our rights who will?
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.