The Ultimate Guide to

Compliance Operations

What is Compliance Operations?

Compliance Operations is an operating model and a methodology that recognizes that managing information security compliance and security assurance programs consistently and on a day-to-day basis is a critical component of effective IT risk management. It operates on the understanding that cyber risks can change by the minute, regulatory volatility isn’t going away, and zero trust is now the default security (and B2B purchase) model. As such, compliance and security assurance professionals need to apply more rigor and discipline to their day-to-day activities and focus on continuous improvement. The Compliance Operations methodology provides a way for organizations to manage IT risks in a more disciplined, proactive manner and efficiently prove to their customers that they can keep sensitive customer data safe.

Key principles of Compliance Operations include:
  • Breaking down information silos across the IT risk management process
  • Sharing responsibility for security and compliance
  • Breaking down work into small increments and working iteratively
  • Standardizing IT risk management (including compliance) processes
  • Automating manual, routine tasks within the security assurance function
  • Setting up a reporting and monitoring system in place to support ongoing improvements
  • Improving iteratively

The Majority of Companies Today Still Take a Reactive Approach to IT Risks

According to our 2021 IT Benchmark Survey (completed by 1,029 IT security assurance/compliance professionals), 65% of global tech companies are still managing IT risks in an ad-hoc way, with siloed teams, processes, and multiple, disconnected tools. Close to 70% of surveyed IT security assurance professionals do not have a monitoring system to check whether controls designed around their organization’s specific risks are operating properly or not.

Because organizations are using multiple, disparate tools throughout their risk management process, collecting critical risk and compliance information is both tedious and difficult. As such, organizations often have a limited understanding of how well existing risks are managed and limited capacity to detect when a control meant to mitigate a certain risk has failed or hasn’t been implemented effectively. All of this ultimately results in unwanted risk exposure: 61% of all survey respondents said they have experienced a data breach or privacy violation in the last three years.

Why It’s Time to Evolve Your Approach to Security Assurance

The business landscape today is incredibly risk-volatile. Take a moment to consider some of the key shifts within the business landscape in the past few years and the risks these changes have introduced into organizations:

  • By the end of 2019, 91% of all businesses were using the cloud. Worldwide spending on public cloud started the decade (2010s) at $77 billion, but is projected to be at $411 billion by end of 2021.
  • Organizations’ reliance on third parties grew dramatically, along with the interconnectivity and interdependence among companies. The Ponemon Institute found that, on average, companies share their data with 583 third parties.
  • The amount of new technology purchases made by business units (“shadow IT”) dwarfs technology purchases made by the IT departments.
  • Cybersecurity experts have seen a massive increase in the frequency, volume, and variety of cyberattacks over the past decade.

Further, the trend towards BYOD and the adoption of mass remote work due to COVID-19 has led to a widening of attack surfaces for cybercriminals. In 2020, we saw cyber attackers refine their methods to take advantage of the COVID-19 pandemic and the adoption of new technologies due to COVID-19. Online crimes reported to the FBI’s Internet Crime Complaint Center (IC3) have nearly quadrupled since the beginning of the COVID-19 pandemic.

After making the shift to mass remote work in 2020, many organizations became highly sensitized to the security and privacy risks posed by remote-work supportive technologies (e.g., teleconferencing systems). Companies have realized that when SaaS providers don’t have solid security controls within and around their systems, attackers can penetrate the SaaS providers’ IT systems and then use the vendor to launch an attack against them.

As more organizations are gaining a deeper understanding of technology risks posed by their vendors, they’ve shifted from a “trust and verify” model to a zero trust model when dealing with IT vendors. In this context, “zero trust” means viewing third-party software vendors and business service providers as potential attack vectors—and only trusting a third party with your organization’s sensitive information after qualified auditors have had the opportunity to audit the third party’s security controls and verify their security and compliance posture.

One recent example of this shift to a zero trust approach to B2B relationships comes from the Department of Defense. Over the course of a few years, the loss and theft of government data became increasingly costly. In the fall of 2020, the DOD rolled out a new cybersecurity requirement for all DOD contractors and suppliers called the Cybersecurity Maturity Model Certification (CMMC). Instead of accepting companies’ self-assessment on security questions as valid, the DOD will only conduct business with contractors who have passed third-party audits for the appropriate CMMC level going forward.

At this time, every information business should assume that prospective customers view their business as potentially dangerous until proven otherwise. Meanwhile, there’s the simple truth that as a business adopts new technology in their quest to innovate, and more work gets done over the internet, the risk of data exposure will continue to grow.

The consequences of poor risk management practices have risen quickly. It’s not just about the monetary penalty for a compliance failure. There are a variety of costs including:

  • Operational costs, such as lost sales, higher operating costs
  • Investigations and litigation costs
  • Reputational damage
  • Lost customer loyalty
  • Lower employee morale and higher turnover

According to Hyperproof’s 2021 IT Benchmark Survey (completed by 1,029 IT security assurance/compliance professionals), the typical organization that suffered from a data breach within the last three years lost 5.96 million dollars from a single incident.

How much did your organization incur as a result of this incident?

With these factors in mind, organizations today need to get better at operationalizing their security assurance and compliance activities. This involves three parts: First, implementing an internal control system designed around your organization’s specific risks is a necessity for any organization. Organizations also need to ensure that their control system — policies, procedures, and protocols — is functioning effectively, as intended, everyday. Last but not least, they need to ensure that controls are kept up-to-date as their environment changes and as external events change their risk profile. To achieve these ends, security assurance and compliance teams need better insights into their current set of risks and security posture — and modern tools that empower them to be efficient, agile, and collaborative.

Get your copy of the Compliance Operations Playbook