[BreachExchange] CEOs Must Support Their Compliance Officers

Audrey McNeil audrey at riskbasedsecurity.com
Fri Aug 4 14:28:53 EDT 2017


http://www.corporatecomplianceinsights.com/ceos-must-support-
compliance-officers/

When speaking with CEOs and boards of directors, most of the time they say
their relationship is with the CEO, COO and CFO and that they have no
relationship with the CISO, CCO and CPO.  Ten years ago, this would have
been fine, as stock prices, bonuses and shareholder performance measures
were all based on the financials.  However, the environment has changed,
and there are so many additional factors to a company’s performance.  Take
a look at a retail store like Target, which saw a significant decrease in
stock price, profits and reputation due to a data breach.

When we saw Sarbanes-Oxley come into effect, they said it was mandatory to
have a financial expert on the board, which made sense in that day (and
still does), but now I think it is mandatory to have a compliance person on
the board, too – someone who understands governance, risk and compliance.

I think CEOs and the board see compliance as something you “do” or a box
you check, and that isn’t the case – maybe it was in the area of bank
regulations, where you need to check the box, pay the fee and move on. But
we’re in a new era now, in which compliance is integral in all we do.  You
can’t just “do” compliance like a task or activity, and that mindset needs
to be changed by the CEO and board; you have to make it part of your
culture to begin being compliant.

This is a dynamic and ongoing process, and it can’t be done once.  I think
that is where the disconnect is.  Compliance teams need the resources,
money and buy-in from CEO and the board, but the CEO and board think of
this as a cost center – until there is a breach and they realize they
needed an incident response and disaster recovery plan. They may have had
to check the box, but it was never tested or wasn’t open to all the teams,
so gaps remained.

CEOs and the board need to change the compliance culture to be a
partnership, not a cost center or a check-the-box activity.  They must
weave compliance into all aspects of the business and to make sure that
when systems are built, the developers and product managers rely on
“compliance by design” rather than treating compliance as an afterthought
and trying to retrofit compliance into the system.  When hiring leadership,
see what experience they have with compliance, how they see it as a
positive point in an organization and why they embrace it, rather than
setting it on the back burner.

Also, CEOs and the board need to make sure that the compliance officer has
a straight line to them, not to the CIO (they have different initiatives
and goals, which can be contradictory).  Compliance officers need to have a
seat at the table during strategic sessions, large process changes and
technology decisions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170804/e9534905/attachment.html>


More information about the BreachExchange mailing list