To Comply, or Not to Comply: The Strategic Approach to IT Compliance
I was talking to a prospective client the other day and the subject of DFARS/NIST DoD compliance came up. Obviously, cyber security is one of the most pressing issues of our age and when you’ve got the Department of Defense watching over you, that’s a pretty big deal. I asked him a little bit more about what he was currently doing to maintain that compliance, and his response made my jaw drop.
“I’m not,” he said, like it was common sense. “We never see it being enforced. To be honest, we’re kind of waiting for the first ‘heads to roll’ and for someone to get fined before implementing compliance controls of our own.”
Though it may surprise some people out there, that’s actually a pretty common theme. We do a lot of work with companies who are subject to a number of different compliance requirements like PCI, HIPAA and others and a lot of them tell me some variation of the same idea: “they’re reluctant to really understand what elements of those regulations specifically apply to their organizations and are even less willing to allocate the resources to address them.”
At least, that’s what they tell me at first.
In all the years I’ve been doing this, I’ve noticed that a lot of the biggest misconceptions I see stems from the same basic idea: clients just don’t understand IT enough to grasp what the requirements are actually asking for in the first place. Once I have the opportunity to really clarify to them why this all matters and how IT can help address compliance in a holistic, strategic way, most of them have a shift in perspective at the most critical of moments.
That is precisely what I want to do today, too.
The Major Misconceptions About Compliance
A lot of these compliance requirements are very intensive and usually require implementation via a manual solution. That requires true collaboration between IT and non-IT executive staff.
For small businesses in particular where they rely on an internal resource or an MSP that doesn’t provide that collaborative experience, it becomes all too easy to overlook the impact that non-compliance can truly have.
Along those very same lines, many clients and potential clients are operating under the assumption that the tools required to adhere to something like DFARS are superfluous because they don’t provide any real value to their company’s IT strategy.
This, too, is false – especially since the cyber security threat landscape has become increasingly volatile over the last few years.
Putting the IT Back in Compliance
For as complicated as all of this is, luckily the solution is fairly straightforward. It’s not as easy as “continuing to do nothing” like a lot of people have been, but it’s actually easier than one might think.
First, most clients who fall under the categories I’ve been describing need to adopt a totally new company culture with regards to IT and how their strategy is formulated. They need to take IT’s relationship with compliance seriously and they need to fully grasp the consequences of “getting it wrong.”
But more than that, they need to stop thinking of things in negative terms and start looking at the positive aspects – the ones that generate true value – that compliance will bring with it.
To continue to use the DFARS example, compliance not only improves a company’s chances of winning a contract over those who aren’t – it’s also an incredible opportunity from a branding and general liability standpoint as well.
Companies that are compliant tend to win more business, provide more value and minimize the costs of downtime over those who aren’t. New clients tend to trust them more which further fuels their reputation as an authority, their revenue increases and they get the DoD off their back – all at the exact same time.
What’s not to like about that?
The second part of the solution involves finding the right IT partner who can help you implement all of the security tools needed for whichever compliance requirements you have to meet. Don’t forget that PCI, HIPAA, DFARS and others all have different requirements – meaning that there’s no “one size fits all” approach that will work for all of them.
Many of these solutions are admittedly involved and complex and, generally speaking, take several months to implement successfully. Finding the right partner to stand by your side today doesn’t just guarantee that you’re fully in compliant at the end of those months. It also helps relieve some of the day-to-day stresses you’ll experience during that time so you can focus less on compliance itself and more on how to strategically leverage your compliance in every business decision you make thereafter.
As is true with IT in general, an investment in compliance is an investment in the future of your business. There are few things more important than taking advantage of every chance you have to protect everything you’ve worked so hard to build. Just because “nobody enforces these compliance requirements” today doesn’t mean that this will always be true, unfortunately.
One day, they will. Believe me – when that day comes, you’ll be glad you acted today.
About Chris Souza
As the CEO of Technical Support International, Chris Souza is proud of the work that he and his team have done in terms of helping businesses get the most out of their IT infrastructure for the last several years. To find out more information about how to take a strategic approach to compliance, or to get answers to any additional questions you might have, don’t delay – contact us today.