INFOSEC23 – London – Compliance with data-protection requirements remains one of the cornerstones of cybersecurity and risk management, but with the fifth anniversary of the General Data Protection Regulation (GDPR) behind us, indications point to it becoming an unreasonable burden on IT departments.
Research released this week at Infosecurity Europe by Hornetsecurity found that 80% of organizations are more concerned about compliance than they were five years ago; however, the burden to retain an appropriate level of compliance falls on the IT department in more than half (57%) of businesses.
The survey of IT leaders in around 200 organizations found that more than a third (37.5%) of organizations do not have a dedicated compliance officer, while 69% of respondents said that compliance has a “moderate” to “extreme” impact on their IT department’s operations, and one in eight companies (13%) could not confirm at all that they were compliant with required controls, likely due to a lack of resources.
This does suggest that rather than being seen as a risk management enabler, compliance is perceived as a hindrance to achieve, and many simply offload it to the IT department, which may or may not be prepared to handle it.
“The fact that more than half of companies are hindering the day-to-day work of IT departments through lack of compliance staff and policies is a huge concern,” Hornetsecurity CEO Daniel Hofmann said in the report.
Is There a Negative Perception of Compliance?
Andy Syrewicz, technical evangelist at Hornetsecurity, says he believes there is a negative perception of the compliance burden — not just at the technology level, but in most businesses as a whole.
“Many organizations see compliance as just a ‘cost of doing business,’ much like taxes,” he says. “Many organizations want to do the right thing in safeguarding data regardless of the existence of regulations, but there are those in the industry that have a more flippant attitude. That said, the heavy burden of compliance is increasingly being put on IT teams — and businesses are looking for ways to deal with it.”
Rowenna Fielding, director of Miss IG Geek, says the GDPR had a significant impact on business due to the introduction of the Accountability Principle, which requires organizations to be able to demonstrate —with evidence — that they are upholding data-protection principles, respecting data-subject rights, and fulfilling their governance obligations.
“This closed a gap in previous data-protection law, which had largely been treated as a box-ticking exercise up until then,” she says. “However, this also made organizations realize how much ‘compliance debt’ they’d been carrying and required significant changes to be able to catch up with the previous 20 years as well as meet the new, more stringent standards.”
Fielding adds that there are strong parallels with health and safety laws, or consumer rights regulations which exist to protect living people from being harmed or exploited in pursuit of business advantage: “It’s hardly surprising that some business decision-makers perceive safeguards as a burden rather than a responsibility.”
That is the key word: burden. If something is a burden we’re less enthused about it, and it seems that is the case with compliance in this research. Fielding says it is up to business leaders to make sure that they have clear and realistic strategies and facilities for staying on the right side of the law – or better yet, taking corporate social responsibility seriously.
Who’s Responsible for Data Security Compliance?
Asked about the statistic on compliance being the responsibility of IT, Fielding says this is a recipe for disaster. IT’s responsibility is to make sure procurement, configuration, maintenance, and support of IT equipment and services all enable an organization’s compliance obligations — not to act as sheepdogs for the whole organization.
“Each business unit should be determining their own operational parameters to fit within the organization’s strategy, and that means understanding any applicable compliance requirements and putting them into effect,” she says.
The solution surely is for the responsibility for compliance to be spread among the whole organization, starting with a lead from the top. Fielding says it is the responsibility of senior management to provide the rest of the organization with parameters, resources, and steerage so that legal/contractual/business obligations can be met, but what often seems to happen is that the top level of an organization assumes that “compliance” is something that can be achieved simply by telling people to do it (and threatening them with punishment if they don’t).
“This neither creates an environment where compliance is incentivized, and doesn’t offer suitable or adequate resources for achieving it,” she says. “After all, it’s so much easier to scapegoat a junior employee for noncompliance than it is to build and maintain a culture which enables compliance.”