Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/22/2012
01:56 PM
50%
50%

Technology Cannot Solve All Your People Problems

Too many in business assume compliance is primarily a technology issue

A few years ago, my team was implementing a custom software system for a client in the insurance industry. The software helped the client's staff manage claims, a complex process with many tasks that were extremely time-sensitive. As work was processed, it passed from department to department, which added to the challenge.

As the design evolved, the client kept asking us to add more and more reminders and prompts for the users. Features like these can be useful, but only to a point. As the list of reminders grew, we ultimately pointed out that if the software "bings and dings" all day long, staff will either eventually ignore all the reminders, or spend their whole day like thoughtless drones, waiting for the computer to prompt their next action.

As the discussion about the long list of reminders continued, one of my colleagues finally pointed out something we realized had been obvious to us, but not to the client. He politely said, "At some point, your employees have to do their job."

I've kept that situation in mind for many projects since then, including our own internal projects. This client couldn't fully automate its processes. People were required. But there was no way the technology could force employees to do their jobs. The employees needed software to be their tool, not their babysitter. If your staff needs a babysitter to make them do their work, then perhaps you need different employees (or different leadership).

The same lessons apply to compliance. IT can add many automatic systems, logging, and encryption. However, if people are involved with private information, then your organization’s technology alone will never make your systems fully compliant.

Compliance is not primarily a technology issue. No doubt, technology is important. But ignoring the people aspects of compliance is a sure way to get your business in trouble. Delegating all compliance responsibility to IT is poor and risky leadership. IT can lead much of the effort, but alone it can face difficulties training and enforcing the processes and procedures of other employees.

This "delegate compliance to IT" problem is exacerbated by some IT staff. Compliance can become a tool (or weapon) to build IT’s clout within an organization. By embracing the role of compliance czar, IT can be "in charge" of something instead of merely providing support services. "Ah, finally our importance has been realized."

I don't want to sound cynical. There are lots of people in IT and management who get compliance and operations right. They know the best compliance programs involve all aspects of the company -- customer service, operational expenses, and culture -- and the work (and responsibility) is not delegated to any single department or technology.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.