Have you ever wondered why lawyers write rules and regulations? So often, they negotiate into the final version of statutes, rules and regulations the use of words such as “reasonably designed”, “appropriate procedures”, “material risks”.
All of these words are offered by the regulators as attempts to formulate standards that can be adapted across the range of companies that may be subject to the rules—large, small, domestic, foreign-owned, partnerships, joint ventures. But in the 21st century, those words fail to actually deliver to the regulated entity the type of direct, useful guidance as to what they can actually build and implement to be in compliance with the rules. Years ago, I was taught that businesses don’t like rules, but when there are rules, they want the requirements to be predictable and capable of being executed. They don’t want uncertainty, guesswork in the design or second guessing as to the suitability of what is built.
Welcome to the compliance chasm—trying to build processes that reach across the gap between the words in the rules and the actual way things need to work in companies in order that they can be managed and measured. Perhaps the flexibility of language made more sense in the last century, but with technology’s potential to support precise, repeatable processes, measuring performance against known metrics, why can’t our legal system author the rules in order that we can build and implement technology with a certainty that compliance is achieved by the solutions in which we invest?
For the last fifteen years, as legal institutions begin to create rules for the ownership, use and protection of digital information, the compliance chasm has actually become wider and deeper. In every regulated business, the task is more and more daunting—what do we build to comply with these rules? how can we be confident that our systems, which are hard-wired by our software and controls, will be viewed as “reasonable”, “appropriate” or responsive to all of the “material risks”?
The strategy that does work is not to guess. Instead, you can build across the compliance chasm by employing careful documentation of the reasoning for why you built a solution that you believed to be in compliance. Frankly, by looking at how information security evaluates risks, and builds controls, virtually any regulatory effort within a company can be improved.
The process is fairly direct—by first understanding threats, vulnerabilities and controls, you can have a different conversation about whether the procedures you are adopting truly respond to the objectives underneath the regulation. Then, by documenting how you believe the controls are, in fact, responsive to those threats and vulnerabilities (as seen from the eyes of your company), you have a better chance of demonstrating you actually were designing with intent, rather than happenstance.
The other key management strategy is continuous monitoring and improvement. Following the most recent Gulf of Mexico oil disaster, headlines were made when the disaster plans for many of the oil companies all address the danger to certain species that were, in fact, extinct. Information security management systems, particularly when built to the criteria of ISO 27001, are actually a strong functional solution for crossing the chasm of any regulatory control that addresses how digital information assets are to be created, governed and controlled.
If you would like to learn more about adopting a 21st century model for crossing the compliance chasm for digital information, whether through training or coaching, pick up the phone and give me a call.