10 Things I know about… Compliance Risk

Our VP of Sales and Operations, Janelle Drolet shares her 10 Things I know about… Compliance Risk with Worcester Business Journal

10) No place to hide: The regulations, laws, and frameworks an organization needs to comply with will depend on its industry, location, and the type of data it processes. IBM cites the average cost of a data breach at $4.45 million.

9. Definition: A compliance risk assessment is a full review of all the requirements, control frameworks, and regulations for an industry from a cybersecurity standpoint.

8. A scheduled process: Companies should strive to make compliance risk assessments a regular process, to identify unforeseen gaps.

7. Regulatory risk: Broader than a compliance risk assessment, a regulatory and compliance risk plan includes building remediation plans and monitoring and mitigating risks.

6. Know your gaps: Evaluate your security controls and processes. Take time to discover any potential gaps. Come to an agreement on your company’s risk tolerance. Because no two cybersecurity risks are equal, it’s important to evaluate its likelihood, its potential impact, what programs are in place and tools are being used to monitor, mitigate, or block it.

5. Have a remediation plan: Organizations need to have a playbook ready to mitigate any potential data compromise. Define remediation steps, assign roles and responsibilities, lay out timelines, costs, and resource needs. Test, test, and re-test.

4. Remediation strategies: Consider building a cybersecurity strategy for your organization including the 4 P’s: people, process, partners, and products. Train employees in security awareness. Offer phishing simulation exercises.

3. Review and iterate: Test your plan to measure its effectiveness. Update the plan based on the risk assessment, remediation, and any changes in regulations, business operations, or risk tolerance.

2. Seek expertise: To avoid mismanagement, document your security program and processes thoroughly. Remain objective, which is difficult when it’s your own company. Many companies opt to involve security experts and automation tools.

1. Foster a compliance culture: Investing in employee training, creating clear policies, and promoting good compliance behavior among employees will help improve overall security.