Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/16/2012
11:26 AM
50%
50%

Your Compliance Is Decaying Every Day

As soon as you train your colleagues about compliance, noncompliance is back in charge

As soon as you train staff, implement new technology, and make business process changes to become (or remain) compliant, the next day you are already less compliant. People's habits are hard to break, and what we are taught begins to fade within hours.

At the same time, risks to technology and security never rest or stop changing, whether from smarter malicious technology or simply the pace an organization’s technology continues to be updated and modified. It can be hard to monitor and verify for compliance without slowing down the necessary pace of business.

In a discussion I had with one CEO who was concerned about the expense of training, he said, “What if I spend all this money training my staff, and they leave? Then I’ve wasted all that time and money.” As politely as I could, I leaned over and quietly said, “What if you don’t train them, and they stay?”

He paused a moment, processing my question. I was relieved when he smiled and gave that nod we all give when we’ve had an “a-ha” moment. Training is not an extra, and its related costs are not optional. Training is something we pay for when we choose to do it, but it’s also something we pay for when we choose not to.

Untrained staff, like everyone else, will develop habits in their work. Without training, these will more often than not be bad habits that cost organizations money. This cost might not have its own line item -- it might be hidden in payroll and hard to identify immediately -- but it will be there. On the other hand, ongoing training helps your staff know the expectations and requirements of a job well done.

Organizations that do not include regular training and coaching for all aspects of their business operations typically see such education as an extra expense they can defer (or ignore). Oh, they claim they know training is important, but if they don’t show any commitment in either time or budget, they are deceiving themselves. This mindset applies to compliance, as well, because true compliance requires specific processes to be part of your daily operations, not add-on tasks at the end of projects.

Proper compliance training is really about much more than compliance. It is about how to perform work that includes compliant processes and procedures. The actions that lead to better compliance cannot be bolted on at the end of training or in separate compliance classes.

While annual training is better than no training at all, few of us recall the details of classes we took months ago. Effective training is intentionally designed to regularly reinforce processes that are compliant, secure, and healthy for the organization. Like fighting decay, being compliant requires regular updates, repairs, and attention. Compliance is your best effort toward maintaining the health of your company.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.