Regulation should not drive risk, security planning

CIOs should stop basing their IT risk and security planning primarily on the need to ensure compliance with regulations, according to Gartner.

Compliance is an outcome of a solid risk management policy, according to Gartner Research Director John A Wheeler, and should not dominate decision-making.

“By simply trying to keep up with individual compliance requirements, organisations become rule followers, rather than risk leaders [able to] proactively address the most severe threats to their organisations.”

Risk leaders approach compliance risks by tracking key regulatory and business changes, and then creating a plan to address compliance requirements in a way that improves resilience and influences their business’s success, Wheeler said.

The key distinction is not to treat compliance activities as mere checkbox exercises, but taking into account the risks that compliance activities are intended to address.

“If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” Wheeler said.

He recommends companies create a formal program of controls based on the specific risks unique to their business, and then map rules and laws onto these controls. This also requires CIOs to be able to make a defensible case to regulators that the rules are being properly followed.

CIOs should also be working with their security and risk management teams to create a program capable of anticipating and adapting to changing regulatory requirements, Wheeler added.