Understanding the boundaries

- What we find in most large organizations as we go in to provide guidance in this area is that the people who are actually doing the work really don't understand regulations and the people who are charged with responsibility of reporting for regulations and on security don't understand how people do the work. In truth, a lot of the auditors are accountants. They've never really worked on a project, they've never helped to develop a product. And this causes a problem because oftentimes the general regulatory risk and compliance people are looked at as police imposing controls on the people who are doing the work that prevents them from actually doing it well. In 2009, the Economist Intelligence Unit released a report and it was call Organizational agility: how businesses can survive and thrive in turbulent times. And one the main quotes coming out of this that I really liked to cite, "The main obstacles to improved business responsiveness "is slow decision-making, "conflicting departmental goals "conflicting priorities "and risk-adverse cultures with silo-based information." All the things that help an organization to grind to a halt. This is not being innovative. This is not being lean. This is not helping the organization to move forward. But with regulatory compliance and security, you have to deal with it. We have what we call the wall of nos in our industry. This is when somebody wants to try a new idea, the legal people, the risk people, the security people stand up and shout, "No, you can't do that because." Now, it would be an everybody's advantage in an organization to understand exactly what the regulations and laws are that govern the operation of the organization. It would also be helpful if all the people in risk and compliance understand exactly what it is the organization is trying to achieve and help the people who are actually doing the work find a balance between following the laws and reducing risk and actually moving the organization forward and delivering products and services at a pace that is expected by customers. So we've got to have collaboration and cooperation happening. Now, to understand this whole area there's a few terms that you need to we need to get straight right off the bat. And the first one is audit. It is an independent assessment or an inspection or an examination based on actual standards that the auditors are using that will say within the defined scope of this audit, whether it be SOX, PCI, DSS or maybe there is HIPAA, any number of regulations. I worked on a airline once and a lot of regulations are around that industry itself. But it has a defined scope. And the auditors actually look at what's being done, look at the standards and make an assessment whether you're meeting those standards or not and then generate a report. And there may be consequences of actually not meeting those standards. Regardless, the goal of an audit is to reduce risk which also brings us to controls. Controls are actually activities we do within an organization to reduce the overall risk. Again, a lot of the controls are manifested in the form of policies, processes, procedures, such as approvals, or maybe I need to generate a report on a regular basis. Again, why do we do this? Sometimes it's needed for compliance, you have to prove to auditors that we actually are doing what we're saying we're doing. But more importantly I think for controls is to reduce the operational risk to the organization and achieve better outcome, which leads me to talk about risk, which is basically activities that I perform that may result in a negative outcome for the organization. Now, the problem with risk is every time I take a move to balance a risk or bring it to a level which I'm very comfortable with in one area, I inevitably increase risk in another area. There is no possibility of totally eliminating risk and most people don't understand that. Many security people are well-known for that we have to get rid of all the risk. You can't. All you can do is say, "I am at a level where I can actually "be comfortable with the risk that I'm running "and operating with today." So when we think about risks and controls particularly, different conditions mean different rules. If you're a very slow-paced organization, where you're not expected to change at all very quickly, your controls can be very restrictive becuase you don't care how long it takes. But if you're in a very fast-paced industry, where things are changing constantly, you need to have flexible controls which allow the people who are doing the work to make decisions on their own and move the organization forward at a pace that is expected by the customers. So I talked about risk reduction, not elimination. And the funny thing, if we go back to the Economist Intelligence Unit report, this risk aversion of many large organization and the imposition of policies, processes, procedures and controls that are very restrictive is exactly what increases the risk in many today's organizations, those same organizations. Today's biggest risk with the user technology particularly is that we built the wrong thing and we built it the wrong way. And many of the classic controls that are in place today actually push or nudges to build the wrong thing in the wrong way so we have to think different about controls. Okay, for an exercise, just to get you started, I want you to think about all the regulatory obligations your organization has. If you don't know what they are, do a check on Wikipedia, usually there is. If you're in Fintech, I can tell you stop it about 25 because you'll be spending too much time looking them all up. But just get a sense of what they are and for further interest, you might even wanna go on the internet and look at all of the controls and what the actual regulations say. Now the key thing here is you will find something very interesting. Many of the regulations talk about intent but they never tell you how to do that, how to actually implement it within an organization. So keep that in mind as we move along within the next units.