Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/22/2012
01:56 PM
50%
50%

Technology Cannot Solve All Your People Problems

Too many in business assume compliance is primarily a technology issue

A few years ago, my team was implementing a custom software system for a client in the insurance industry. The software helped the client's staff manage claims, a complex process with many tasks that were extremely time-sensitive. As work was processed, it passed from department to department, which added to the challenge.

As the design evolved, the client kept asking us to add more and more reminders and prompts for the users. Features like these can be useful, but only to a point. As the list of reminders grew, we ultimately pointed out that if the software "bings and dings" all day long, staff will either eventually ignore all the reminders, or spend their whole day like thoughtless drones, waiting for the computer to prompt their next action.

As the discussion about the long list of reminders continued, one of my colleagues finally pointed out something we realized had been obvious to us, but not to the client. He politely said, "At some point, your employees have to do their job."

I've kept that situation in mind for many projects since then, including our own internal projects. This client couldn't fully automate its processes. People were required. But there was no way the technology could force employees to do their jobs. The employees needed software to be their tool, not their babysitter. If your staff needs a babysitter to make them do their work, then perhaps you need different employees (or different leadership).

The same lessons apply to compliance. IT can add many automatic systems, logging, and encryption. However, if people are involved with private information, then your organization’s technology alone will never make your systems fully compliant.

Compliance is not primarily a technology issue. No doubt, technology is important. But ignoring the people aspects of compliance is a sure way to get your business in trouble. Delegating all compliance responsibility to IT is poor and risky leadership. IT can lead much of the effort, but alone it can face difficulties training and enforcing the processes and procedures of other employees.

This "delegate compliance to IT" problem is exacerbated by some IT staff. Compliance can become a tool (or weapon) to build IT’s clout within an organization. By embracing the role of compliance czar, IT can be "in charge" of something instead of merely providing support services. "Ah, finally our importance has been realized."

I don't want to sound cynical. There are lots of people in IT and management who get compliance and operations right. They know the best compliance programs involve all aspects of the company -- customer service, operational expenses, and culture -- and the work (and responsibility) is not delegated to any single department or technology.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12888
PUBLISHED: 2019-06-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12887. Reason: This candidate is a reservation duplicate of CVE-2019-12887. Notes: All CVE users should reference CVE-2019-12887 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.