Ciao Compliance™ – Traditional compliance is dead
September 1, 2017
September 1, 2017
In cyber, traditional compliance models are ineffective, inefficient and can sometimes cause a headache. So we decided to say CIAO to traditional compliance.
At Cyber UK, we had lots of conversation with compliance experts from the various industries and organisations in the UK. After throwing around the usual complaints, we started thinking about how compliance could look like in the future. We all agreed that it would be more automated and certainly smarter. One of the guys, a senior employee of one of the major defence contractors said, “but the CyberSmart platform is already doing that, sort of.”
For me, this moment was eye opening and defined how we would go about developing our platform even further. We went back to our drawing board for a brainstorming session and here are some ideas we came up with during that session.
CIAO Compliance™ stands for continuous, intelligent, automated and objective compliance.
Compliance traditionally consists of snapshots – certificates of the state of conformity are submitted once a year. In some cases, assurance departments are sent on site to audit the compliance status. Although this model works well in an analogue world, it is completely unsuitable for the global digital economy. In a matter of days, systems are updated, new devices are plugged into the network, and new software is released. An organisation’s IT infrastructure is frequently changing. Hence, this could mean that a business can be fully compliant at the time of certification/audit, but fall out of this state the very next day once a new piece of software is installed.
The answer to this problem is continuous checking and auditing. Although this may appear as a revolutionary concept in the compliance industry, it has already become common practice in other areas of life; how many of us continuously track our state of fitness? How many young drivers have a black box in their car, monitoring their driving behaviour? The faster we move, the higher the auditing frequency needs to be. Looking at IoT, that may mean in real time auditing.
Traditional compliance applies the same strategies to similar supplier categories, which has worked well in the past. Intelligent assurance takes a different approach and adjusts the compliance model to each organisation individually. If performed by employees, this task would require an obscene amount of staff hours; by using technology, assurance standards can not only be adjusted, but their effectiveness can be objectively measured and their structure adjusted accordingly.
A large number of companies still use paper forms for their assurance processes. Not only is this slow and inefficient, but it is also highly insecure. Forms can be misplaced and the person filling out the form is not entirely objective (see the last point). Again technology could help to overcome this challenge and perform tasks that have taken hours and perform them within seconds.
Although all assurance officers wish that compliance standards are objectively measured, we all know that this is not the case. Requirements often leave space for interpretation and suppliers are often more focused on keeping business than being genuinely compliant.
In my experience, many companies that are compliant with even well-established standards such as ISO or GDPR often fail basic compliance checks when an automated compliance solution is used. In most cases, this comes down to the very basics of information security, such as unpatched systems or firewall not being in place.
With the daily increase of connected devices, CIAO compliance appears to be the only way to ensure that organisations remain secure in the 21st century. Why are we still washing our clothes by hand when washing machines exist? CIAO, traditional compliance.
Join us in making compliance exciting, transparent and secure.