Using culture to inspire compliance

In today's data-driven business world, you're bound to hear about compliance frequently: be it from your customer, legal advisor, compliance team, or an article on the internet. However, the right approach to compliance is still an unsolved riddle.

When organizations want to comply with a new security standard, say ISO 27001 or SOC 2-Type 1, they follow a typical (read: tedious) approach:

• The central team drafts a list of controls for each team to abide by.
• The teams scramble to collect evidence and convince the auditor that their organization's processes are worthy of certification.
• These actions are repeated for the upcoming standards.

If this sounds familiar, it's time for you to gain a new perspective on compliance. In ManageEngine's experience, culture is the most integral aspect of establishing a sustainable compliance model.

We discussed ManageEngine's journey of compliance and the role of our security, privacy, and audit (SPA) team in our e-book "A CIO's guide to rethinking compliance". Today, we'll review how an organization's leaders can create a cultural shift that inspires teams to embrace compliance.

From "knowing" to "being"

During our ISO 27001 certification process, ManageEngine closely evaluated our compliance with the necessary normative controls. One control was regarding user access provisioning. We implemented two-factor authentication and other identity verification processes to monitor access to our data centers. To an outsider, this might seem unnecessary. They might even conclude that compliance to ISO 27001 control costs more time, energy, and resources, and provides little benefit to show for it.

However, that is far from the truth. The number of data breaches is increasing faster than ever. By making strict access controls a habit now, our organization is potentially limiting our breach perimeter to one location, i.e., our workplace. It has a significant impact on our future.

We could get away with implementing a simple, namesake policy that gets the job done. But then, each employee would merely "know" what to do, and continue doing it without much thought. An employee merely in the "know" might choose an expedient action to achieve a temporary desired outcome, rather than complying with the preferred compliance control measures. That's why we need a cultural shift from "knowing" to "being".

"Being" means every employee is aware of the repercussions.

Even if we didn't need ISO controls, every employee would still need to choose strict access provisioning.

For every employee to "be" compliant, the culture of "being" must become a norm. Instead of just creating a policy, ManageEngine strives to ensure each person truly understands the purpose of each control. We do this through detailed presentations, discussions, research-based findings, and surveys to gauge employee awareness.

This culture of "being" ensures you don't waste time convincing employees that compliance is a "necessary evil"—because it's not. Compliance is, without a doubt, the best way forward.

From force to involvement

ManageEngine knew forcing compliance would not work for us. It might work for a particular ISO or a SOC-II control, but not for the culture that we're trying to instill. Take the example of another ISO control for vendor relationships:

A risk assessment is necessary before onboarding a new vendor. If you try to force it, the risk assessment will lack meaning.

Vendor risk assessment is an empowering process. If you've vetted your vendors thoroughly, you can confidently tell your customers that their data is safe. However, pressurizing employees could result in a half-hearted, incompetent job. It might look good on paper, but won't serve its purpose. Your teams might weigh some risks poorly, or even overlook them. To avoid this, we try to involve employees in the process as much as possible.

We create interest through campaigns, contests, and attention-grabbing content on our internal collaboration platforms, etc. We also involve employees closely in internal audits. When we include them in our processes, they understand why we do things the way we do. This culture of involvement will, in turn, reflect how they implement these controls.

Instead of being mere spectators, our employees get hands-on experience through events like Cybersecurity Awareness Month, and Privacy Day.

From obligation to representation

ISO controls, like the secure development policy, need teams to be deeply involved. Similarly, controls regarding internal audits and incident management also involve specific teams. If you ask managers to get things done over email it becomes "yet another project". If the culture of "being" and "involvement" is yet to flourish in your organization, it would be a cumbersome task for managers. That's why we focus on representation.

Each team member has a representative, chosen based on their willingness and qualification, who handles everything concerning compliance. The selected member is trained first, and is responsible for guiding each team through the implementation process. In a way, their role is to infuse the culture of "being" and "involvement". We ensure each team has a representative for compliance with the central SPA team.

Most importantly, you need to be patient to create a cultural shift. We knew that it doesn't end at cooperation from employees. We needed them on our side and to be fully committed. A cultural shift takes time, but it creates individuals who are passionate about compliance. Ultimately, it is about acknowledging that compliance doesn't stand in the way—it is the way.

To learn more about compliance, process control, and how we run the entire show at ManageEngine, check out our e-book "A CIO's guide to rethinking compliance".