3 minute read
CYBER SECURITY OUTLOOK The Compliance Conundrum: Cybersecurity Compliance Should Be Your Company’s Culture
By Ken Fanger, MBA, CMMC-RP, President, On Technology Partners
For many business owners, compliance standards are a real obstacle that adds to an ever-growing list of headaches. Unfortunately, they are quickly becoming the standard for how we will have to conduct business moving forward. But, while frustrating, they’re still a must, so embracing them is the way forward.
I will always fondly remember the episode of Scott Adams’ “Dilbert” comic strip that says, “Remember, you can’t spell compliance without ‘liance.’” For many of us, we just want to check all our boxes and move on. As frustrating as it is, we can’t just pass off the responsibility of compliance—or worse, lie about compliance. Think of it this way: if your accountant makes a mistake on your taxes, does the IRS go after your accountant, or do they go after you?
The reality is that compliance, when required for your business, is for the best, even if the process can be frustrating. For example, a company I worked with that was initially hesitant to implement new compliance standards quickly found themselves grateful that they had when a very expensive issue arose. Let me set the scene: the company recently moved to SOC 2 (Service Organization Control) compliance. At first, the company was very resistant to imposing the standards and controls that were need- ed to meet SOC 2. As they described it, everyone despised the process, and it seemed to make things take so much longer to complete.
Not long after this client had implemented the requirements for SOC 2, it ended up paying off greatly. A large customer claimed that the equipment they received was not shipped with the proper specifications, and they wouldn’t pay for the thousands of dollars in equipment that was sent. My client’s team then went back to all the control documents related to the order and found out that it was designed exactly as the customer had specified. The problem had been on the customer’s side, so they were forced to acknowledge the mistake, and my client got the payment. If the new controls had not been in place—if it had not been for their compliance needs—my client never would have been able to prove their lack of fault and would have been out of a lot of money.
Though it was arduous getting there, that client of mine had taken compliance seriously and made it a part of their everyday culture. This is precisely why compliance should be approached as a culture in your company rather than a checkbox. Everyone needs to be on board with it, and it needs to be accepted from the top down. If the president doesn’t believe in it, then the employees won’t either.
Alternatively, let’s consider an example of where compliance was not turned into a part of the culture. This was a manufacturing company I worked with that was very proud to be ITAR (International Traffic in Arms Regulations) compliant, even displaying it proudly on their webpage.
As I entered their building, I walked into the reception area and looked to my right, under the reception desk. They had a server sitting next to the workstation. I asked the manager I was meeting with if that truly was the main server for the office. He responded that it was and that they just didn’t have anywhere else to put it. He also had no clue why that was a problem.
For those who are unaware: the requirement for ITAR is that all servers and network equipment must be secured behind a locked and controlled area. The front lobby, sitting out in the open under a desk, would not be considered a secure location per these standards. Not only did this company break ITAR compliance, but they also put their network seriously at risk. If compliance had been seen as more a part of company culture and less a task to cross off the list, their data would have been safer, and their compliance needs would have been met with less frustration (and more accuracy).
The world of compliance is coming for all of us. You may have heard that Europe has imposed a very strict GDPR (General Data Protection Regulation) on all personal data that companies hold. It states that a person can request all their data be removed from your system, and you must comply with that request. These standards are also coming to America as more States enact similar requirements, and the cost of not complying can be substantial. As we continue to try to address the growing threat of cyber attacks, our government will increase the number of laws and regulations to protect us. This means we’ll all have to live with more annoyance and “liance”, so we might as well accept it and incorporate it as smoothly as we can.
Author profile:
Ken Fanger, MBA has 30 years of industry experience in the fields of technology and cyber security, and is a sought-after CMMC Registered Professional, helping manufacturers and contractors to meet DoD requirements for CMMC compliance. He is passionate about technology deployment, and his MBA in Operations & Logistics has helped him to be an asset in the designing and deployment of networks to enhance the manufacturing experience. Over the past 5 years, he has focused on compliance and security, including working on the SCADA control system for the Cleveland Power Grid. Mr. Fanger works with each client to identify their unique needs, and develops a customized approach to meeting those needs in the most efficient and cost-effective ways, ensuring client success. n