Rethink IT Compliance

Compliance initiatives are viewed from the wrong lens.

Every week I look at requests and responses for technology and security compliance matters. Typically, I communicate this information with compliance based personnel for a customer, the sales organization, or the lawyers. The focus of process is to get answers to check a box and then move forward with the sales process. Speaking candidly, most of the people in the communication chain don’t really care about the content of the compliance controls. The process serves as a means to an end.Peephole


Compliance controls are put in place for a reason and are well intentioned to make workplace environments safer for both customers and employees.  But I thought of three reasons why compliance controls cause angst and are often viewed negatively in a business environment:

  1. The compliance documentation is reviewed at the end of the sales process when it doesn’t influence decision making but becomes part of a check-list to get signatures on a contract.
  2. Compliance is viewed as a cost center and not an asset for winning business.
  3. The compliance documentation does not add value to the customer because documents are managed by a group that doesn’t use the product or service that is purchased.

Look at examples from other industries.

In the food and service industry it is required that restaurants post their health score inspections in a visible location. I look at these scores periodically and a low score has given me reason to pause and think before ordering to eat. In this example the health score acts like a compliance report and is posted in plain view so the customer can view it before making a decision to purchase.

While not a standard, a few car dealerships will put an inspection report inside of used vehicles on their lot. It shows a potential buyer what was discovered during an inspection and if the issue was repaired. This is a quick view grid that allows a prospective buyer to weigh the cost and value of a vehicle prior to purchase. For the dealer it becomes an asset that represents an investment in the product they are selling. The last used car that I purchased had one of these reports and for me it was the difference that made me a purchaser.

Rethink IT Compliance.

Taking the lead from my examples from the food services and automotive industry I think we could bring more value to IT compliance work by changing the lens and refocusing our view.

  1. Present a summary grid of IT compliance elements at the beginning of the sales process with prospective buyers. Rather than viewing the document as a check-list the Sales organization would view the information as part of a selling tool and they would be more engaged with the content of the compliance process.
  2. Present compliance work as an asset and differentiator rather than thinking about it as a back-office cost. Let customers know that the company has made an investment in controls mitigation and best practices. This becomes not only an asset to the product and service that is sold but speaks to the culture of the organization doing the selling.
  3. Allow the end customer to see the list upfront. This should be a simple one page document that shows the tests, policies, and initiatives related to compliance and regulatory controls. This allows the customer to place a value on the process and possibly influence their behavior to move to the next step of the buying process.

This could be done in such a way that it doesn’t expose detailed secrets about what vulnerabilities exist in the security control findings. Remember, it should be a one page grid summary. Things like what policies are in place, what standards are used as the basis for security policies, are routine scans and penetration tests performed, etc. If the customer has a compliance group and they want to see more details or examples then you could provide that later in the process.

Onward and upward!

Photo credit: Iwan Gabovitch via creative commons.