Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/22/2012
01:56 PM
50%
50%

Technology Cannot Solve All Your People Problems

Too many in business assume compliance is primarily a technology issue

A few years ago, my team was implementing a custom software system for a client in the insurance industry. The software helped the client's staff manage claims, a complex process with many tasks that were extremely time-sensitive. As work was processed, it passed from department to department, which added to the challenge.

As the design evolved, the client kept asking us to add more and more reminders and prompts for the users. Features like these can be useful, but only to a point. As the list of reminders grew, we ultimately pointed out that if the software "bings and dings" all day long, staff will either eventually ignore all the reminders, or spend their whole day like thoughtless drones, waiting for the computer to prompt their next action.

As the discussion about the long list of reminders continued, one of my colleagues finally pointed out something we realized had been obvious to us, but not to the client. He politely said, "At some point, your employees have to do their job."

I've kept that situation in mind for many projects since then, including our own internal projects. This client couldn't fully automate its processes. People were required. But there was no way the technology could force employees to do their jobs. The employees needed software to be their tool, not their babysitter. If your staff needs a babysitter to make them do their work, then perhaps you need different employees (or different leadership).

The same lessons apply to compliance. IT can add many automatic systems, logging, and encryption. However, if people are involved with private information, then your organization’s technology alone will never make your systems fully compliant.

Compliance is not primarily a technology issue. No doubt, technology is important. But ignoring the people aspects of compliance is a sure way to get your business in trouble. Delegating all compliance responsibility to IT is poor and risky leadership. IT can lead much of the effort, but alone it can face difficulties training and enforcing the processes and procedures of other employees.

This "delegate compliance to IT" problem is exacerbated by some IT staff. Compliance can become a tool (or weapon) to build IT’s clout within an organization. By embracing the role of compliance czar, IT can be "in charge" of something instead of merely providing support services. "Ah, finally our importance has been realized."

I don't want to sound cynical. There are lots of people in IT and management who get compliance and operations right. They know the best compliance programs involve all aspects of the company -- customer service, operational expenses, and culture -- and the work (and responsibility) is not delegated to any single department or technology.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...
CVE-2021-27691
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...