• United States



Leveraging Compliance for Business Value

Jan 08, 20102 mins
Business ContinuityData and Information SecurityIdentity Management Solutions

Regulatory Compliance – some see it as a necessary evil; a periodic checklist to be completed so business can continue.  Others embrace it as a security panacea that mitigates risks with minimal impact on business processes and priorities.

The truth – compliance only indicates the presence of a control baseline which may not address all risks.  While periodic audits serve to validate the presence of these controls, they tend to stimulate periodic compliance.  This series explores continuous compliance as a means to generate business value.According to a white paper by CA Inc., continuous compliance efforts have the following characteristics:

  • Automated   

    Automated compliance reduces the resource cost associated with manual compliance.  It also reduces the errors inherent a manual approach.
  • Ongoing   

    Ongoing compliance encourages a collaborative approach which discourages the emergence of “control silos”.
  • Sustainable   

    Centralized management of controls and data flows reduces the risk associated with inconsistent access policies found in some decentralized management scenarios.  Targeting the touch-points between compliance mandates and core business processes allows for a sustainable compliance strategy.

According to Brad Garland, CEO of The Garland Group, continuous compliance relies on collaboration and coordination between business units.  “Understanding the interdepartmental relationships is critical to continuous compliance,” said Garland.  His firm focuses on discerning how a client’s core competencies are connected to compliance activities.  This approach allows “compliance to become a business driver for management, reducing the busy work for the auditors.”

The next article in this series will explore the concerns around information sharing in a collaborative environment.  A case study of a successful implementation will also be featured.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -