On April 27, 2021, Noord hosted a virtual boardroom in association with SureCloud. The event comprised an introduction by Craig Connolly, Head of Technology GRC (UK & Ireland Division) at Flutter Entertainment Plc, and Matthew Davies, Senior Director, Product Management at SureCloud, followed by a discussion among senior IT professions on ensuring proactive IT compliance.
Opening of the session
Matthew Davies kicked off the session by touching on the key challenges IT compliance professionals face today. These include making sure business is done as quickly as possible without compromising on security; ensuring organisations understand their compliance obligation and see the value of IT compliance and security; and tackling the ever-increasing number of intersecting IT and privacy compliance requirements.
Craig Connolly then briefly touched on his professional experience, having started in technical auditing, and working in financial services before moving into GRC in the betting sector.
Reasons for attending and key challenges
Participants were asked to outline their reason for attending and the key challenge faced by their organisation. They brought with them a range of expertise, including in global security, data security and privacy, data networks, global applications and connected services, and cyber risk and compliance.
The organisations represented were at different stages of the IT compliance journey, with one attendee noting that they wanted to understand what requirements were out there and another noting that their organisation had been striving for IT compliance for years yet we’re still looking for ways to be more proactive and less reactive.
Some key challenges raised were improving compliance without necessarily hiring more employees, securing business buy-in, the ‘security debt’ accrued in the wake of the swift and potentially incautious transition to remote working during the pandemic, and achieving continuous assurance.
Setting up a regulatory compliance programme to establish and deploy key technical and security controls
Craig cited the example of Sky Betting’s acquisition by the Stars Group, an American company, which resulted in the need to achieve SOC compliance. In an organisation defined by its pace and agility, the unprecedented focus on scrutiny and rigour had brought about a culture shock. The business had been required to understand its key business processes and subsequently apply IT general controls to its systems.
Similarly, another attendee noted the challenge of having a parent organisation that has a different level of compliance maturity. Moreover, the point was made that when bidding for work with larger corporations, it can be a commercial advantage for a smaller company to demonstrate compliance with regulations.
Many attendees stated that they were dealing with multiple regulations, such as SOC, GDPR and PCR, noting that in a global context, there can be competing regulations between regional offices, which makes the compliance landscape harder to navigate.
The point was made that compliance does not always stem from legal requirements. For instance, one attendee from a housing association noted that their organisation has a lot of assets and data, so in addition to complying with legal regulations, it is important to de-risk by changing organisational culture. Having ‘security champions’ was mentioned as an effective tool for involving employees in a wider conversation about risk and security, with the ultimate goal of raising awareness and changing behaviours.
Managing and rolling out multiple compliance workstreams in a complex organisation
Under this topic, one attendee noted that employees quickly get ‘compliance fatigue’ when they feel plagued by the same questions for different regulations, which caused greater proactive disengagement. The ideal scenario is to avoid duplication and streamline questions into one survey.
Picking up on this idea, another participant noted that their organisation had merged their IT control framework and privacy control framework into a single document and had developed a sensible schedule to test all the controls, with some more crucial controls being subject to more regular testing.
Craig then mentioned the idea of a self-attestation model for controls, which his company had adopted to create a robust, evidence-based control environment whereby risk and control owners self-report on the controls for the specific assets they are responsible for.
Matthew mentioned the unified compliance framework and the secure control framework, noting that companies often find the latter a useful starting point as it provides implementation guidance and examples of immature and mature controls.
Exploring active compliance
Participants briefly discussed active compliance, with Craig noting that his organisation tended to rely on second and third-line assurance teams as an indicator of control health, although some automation has been introduced to the audit testing process in terms of how evidence is collated from certain systems. However, continuous assurance was still very much an objective rather than a reality.
This sentiment was echoed by one participant who noted that as it was difficult to say what continuous assurance would look like, it was difficult to make executive decisions in this area.
Adding to this, Matthew noted that one of SureCloud’s clients had built a bot to automate compliance in a few critical areas, but that it was difficult to make sense of the data the tool retrieved as it was not presented in a standardised way.
Ensuring you are taking the organisation along with you on the IT compliance journey
The point was made that employees will always push back on change if they can’t see a direct benefit to doing something – especially if the control in question is far removed from the business process it supports.
Craig noted that the self-assessment protocols his organisation had implemented impelled control leads to report weaknesses rather than sweep them under the carpet, helping to foster a culture of accountability. The relevant employees can then seek guidance and develop action plans to ensure that such issues are resolved in time for live audits.
Similarly, another participant mentioned the importance of reporting the most minor date breaches, as this enables teams to conduct root cause analysis and find faults before they become business critical. While there was recognition that reporting breaches may not always have the best bearing on the company, it instils the right kind of culture in the long term.
One attendee noted the importance of communicating the consequences of non-compliance to employees. These shock and awe tactics, though undesirable, were seen as necessary to ensure that people take ownership and make decisions, rather than prevaricating and leaving the decisions to more junior employees who may get things wrong.
Lastly, participants discussed risk acceptance, with employees potentially not realizing that accepted risks still need to be tracked and addressed at some point down the line. Risk acceptance was also seen as a way of shirking responsibility, so attendees felt that there needs to be a way of making compliance a priority – although no suggestions were provided.
Closing of the session
In summing up, Craig noted that the SureCloud GRC platform allows his organisation to create a general control based on multiple other controls, offering an out-of-the-box toolset solution, and allowing organisations to map across multiple frameworks.