A lack of IT knowledge exposes compliance officers to the Darwinism of the labor market.
Author: Hernan Huwyler, MBA, CPA, governance, risk and compliance specialist for multinational companies and Academic Director of the Advanced Compliance Program at IE Law School.
In order to comply with increasing data protection regulations and contractual requirements on service availability and quality levels, advisory support in the design and implementation of IT controls opens up concrete job opportunities. Compliance officers have a privileged role in supporting the data security function, defining protocols to meet policy requirements and contractual clauses. In addition, compliance officers help to quantify the risks of breaching both privacy and essential services laws and contracts for data services, cloud infrastructure, software licensing, application development and technology in general. The increasing visibility of the compliance officer’s role in offering advice on information security and data governance requires new skills in risks, system processes and cybersecurity controls.
A changing regulatory landscape
Regulators, particularly in the European Union, have considerably increased the requirements on critical infrastructures and services over the past decade. Starting with energy and transportation, the regulatory strategy has evolved to also cover financial services, communications and internet infrastructure, healthcare, water and waste utilities, and government services. Therefore, more organizations must fulfill growing requirements to ensure the continuity of public services under the principles of accountability. The trend of expanding the number of regulatory requirements and risk management concerns is expected to refocus compliance activities on data security and service continuity. More regulatory actions are expected to be extended to other sectors, such as food processing, agriculture, education, cybersecurity, defense services and facility management.
From Chile to China, the increasing enforcement of personal data regulations has created a fast-growing demand for high-level skills in compliance. Particularly since the adoption of the EU General Data Protection Regulation in 2016, the gold standard in privacy today, new advisory services have expanded employment opportunities for compliance specialists who have a hands-on approach and technical skills in cybersecurity. This new profile requires the translation of privacy requirements into clearly defined procedures embedding smart IT controls, as well as contractual clauses for data processors and suppliers involved in the outsourcing of IT services. Furthermore, third-party certifications and compliance audit services have created a strong demand for professionals who can align the testing of data processes with best practices, such as ISO 27701 on privacy controls adjusted from the ISO 27002 on IT security controls.
The increasing visibility of the compliance officer’s role in offering advice on information security and data governance requires new skills in risks, system processes and cybersecurity controls.
The role of the compliance function in the current climate
In response to the COVID-19 pandemic and the overnight shift to remote working, the compliance function has had to take the lead in the design and communication of new procedures to protect end-user and mobile devices. In addition, the compliance function has had to update new contracts for new eCommerce needs and for the outsourcing of cloud services to support remote working. In this new context, compliance and data security risks triggered by shadow IT have received a significant amount of attention, from managers to C-level executives. These risks occur when employees or subcontractors install or use unapproved or unlicensed software and web applications, in many cases for free. Therefore, compliance officers have needed to improve the software purchase request protocols and have requested to block web services such as Dropbox and Google Documents. In many organizations facing changes due to the pandemic, the compliance function has also improved due diligence-assessed controls for potential third parties, as well as ongoing due diligence for in-service IT providers. Exit plans for critical IT suppliers had required better preparation and monitoring of contingency actions, in case of unexpected service defaults.
These new business needs and changing obligations have led the compliance function to extend the register of compliance obligations and its IT control matrix, as well as updating policies, procedures and contractual clauses affecting the confidentiality, integrity and availability of IT assets. As a result, the compliance function has improved controls on software licenses to ensure compliance with terms and conditions.
Responding to new risks
The risks of falling behind the constant vulnerabilities of IT assets and the changing attack strategies of hackers and other criminals require compliance officers to suggest, implement, communicate and audit IT controls based on security policies, contracts and regulations. The new dependency on outsourcing for cloud storage and software services exponentially increases the exposure to data breach risks. The skills of compliance officers evolved to go beyond paper compliance and high-level policy writing in legalese, enabling business decisions by suggesting cost-effective alternatives, minimizing non-compliance risks and protecting intellectual property.
Compliance officers have also helped in quantifying risk exposures for regulatory and contractual requirements on IT assets under different scenarios. By advising the business on maximum and minimum liabilities, fines, claims and penalties regarding contracts and regulations, the compliance function spearheaded the development of data-driven methodologies and tools to quantify risks. These developments made it possible to overcome the shortcomings associated with biased assessments which ignore risk data, such as red, yellow, and green criteria, 5*5 arrays, and arbitrary scoring systems. These misleading qualitative risk methodologies have been refuted by science for more than a decade, and are now forms of malpractice and negligence preventing a strong corporate defense.
Understanding the context of cyber compliance allows consultants to offer differentiated services in the market, and internal compliance officers to take a step forward in becoming influential business advisors. Justifying a lack of technical knowledge about systems, IT controls or data protection practices means that the compliance function turns its back on protecting organizations. In addition, it leaves compliance officers at the mercy of Darwinism in the labor market; unable to offer in-demand and well-paid consulting services.
Hernan Huwyler, MBA CPA, is a governance, risk and compliance specialist for multinational companies. He is Academic Director of the Advanced Compliance Program at IE Law School and works in developing internal controls to address business risks and legal requirements in European and American corporations and is currently the IT RIsk and Control Governance Lead at Danske Banke. He previously served as Risk Management and Internal Control Director for Veolia, leading governance practices in Iberia and Latin America. Hernan frequently lectures on compliance, risk management, data privacy, GDPR and auditing at top universities and business schools. Follow Hernan on Twitter @hewyler
Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.