You’ve said that the first order of concern for an enterprise is control, not compliance. What do you mean by that?
Henry: I believe that control is the higher order of priority and that compliance is a result of good control. It’s an approach of thinking first of the systematic operating frameworks for corporate governance, including data management, identity and access management, and risk management, before addressing compliance issues.
Companies must ask themselves “What should we be doing?” and “What relationships help to define requirements for what we need and want to do?” They also need to ask “How can we best manage risk?” Of course, asking these questions may trigger improvements to many business areas, including compliance.
Of course, much of this is a matter for executive management. They are the primary ones who must concern themselves with the U.S. Sarbanes-Oxley Act (SOX), Europe’s Basle II, HIPAA, and other industry- and country-specific regulations.
But control policies are most effective when implemented as standard operating procedures for every employee – and integrated into the corporate culture. Essentially you want to systematize and operationalize controls throughout the company.
How can a company move control deeper into an organization?
Henry: Education and training can raise the level of awareness of the importance of controls throughout the organization. Controls should be seen as a contribution to a well run, efficient company. Employees who understand controls in this way recognize them as a part of their daily activities, and not just something to be concerned with for an audit.
The idea is for employees to embrace a culture of process control and concomitant behaviors that support it. You want employees to conduct themselves with integrity. For instance you would expect an engineering or manufacturing employee not to e-mail detailed information about exciting new product plans to a former colleague at a competing company. And you would want an employee with access to payroll information to respect privacy standards and keep data confidential.
Controls become so much a part of the fabric of the business that stock clerks, engineers, secretaries, managers, manufacturing line workers, accountants, and everybody in between know what is expected and can say, “It’s just my job.”
For example, in the financial services industry, key internal controls such as separation of duties (SoD) implement an appropriate level of checks and balances on the everyday activities of individuals. A financial company would do well to develop a comprehensive, cross-enterprise set of access controls that enables all corporate compliance stakeholders, including business managers, auditors, and IT security managers, to collaboratively define and oversee proper SoD enforcement, enterprise role management, compliant provisioning, and super-user privilege management.
Is it a cultural change you’re describing?
Henry: Yes. Now in companies that operate in a free wheeling culture, following the “do-whatever-you-have-to-do-to-get-the-job-done” model, imposing controls and accountability might feel like a burden at first. But it can save a company from grave harm, including financial penalties, prison terms for principals, loss of reputation, and even destruction of the company, as we saw in the Enron scandal.
In explaining the need for additional controls I would say, “We have an obligation to our shareholders and to you and all the other employees to make sure you keep your job and to manage the company efficiently and profitably.”
And of course, if employees resist the company might have to let them go and hire new personnel.
You are speaking about more than technology challenges, aren’t you?
Henry: It’s about much more than technology, important as technology is for infrastructure management and data control. We’re talking about good business practices, including risk management and security management. For instance, it’s also about answering the question “How do people come in and out of our buildings?” and establishing a clean desk policy so that sensitive documents don’t disappear. Interestingly, we’re seeing that approximately 50 percent of the controls companies need to put in place are non-technology related, such as these, and 50 percent are technological.
Another consideration is to think about striking a balance between encouraging people’s creativity while they work within documented standard operating procedures, such as definitions of who can and who cannot have system level privileges to see financial data within a general ledger.
Largely this is about ownership. When employees know that their contribution matters, that they “own” their piece of the action, they can offer new ideas and suggestions, create new products with innovative sizzle, and make a difference to the company’s success – and their own – all within the set boundaries of quality, security, safety, regulatory, and compliance standards.
Can you give examples for control in globally active enterprises?
Henry: Of course, companies that operate internationally must be mindful of regulations and compliance issues in each country in which they do business. This is just part of acting globally. In addition, however, expansion may include engaging with outsourcing companies in new locations. It’s important to work with third parties to ensure that they contractually do the right thing. Employees or outsourcers whose language and culture may not be the same must understand and agree to the set of assumptions and expectations in the contract.
The contracts should include service level agreements (SLAs), which establish commitments for all services provided, along with priorities, responsibilities, and guarantees, as well as penalties in case of events that violate the agreement.
Contractually a company wants to ensure that controls are in place, complete with periodic audits and a clear understanding about the definition of appropriate response to events. For instance, if a data breach occurs, your contract specifies that the outsourcer will tell you in a specified amount of time. You don’t want people to try to cover up the “dirty stuff.” You need to establish as much open communication as possible so that if there is a breach it will be disclosed properly.
Can you cite examples of good or improved outsourcing practices?
Henry: In India, a country that does a great deal of outsourcing for North American companies, services firms put standard processes in place to match North American expectations. For instance, Americans have a cultural preference for clear, detailed agreements, and take performance commitments literally. Top Indian outsourcers have strengthened their offerings by aligning with these expectations and recognize it as an economic advantage.
How would you answer people who think more regulation is not a good thing?
Henry: As a security expert I’m always concerned about ensuring that an outsourcer really does what it says it is doing. Certainly it’s true that aligning expectations to ensure contractual agreement will raise the cost of outsourcing, but it’s really about managing risk.
In the final analysis the questions to ask are how much do you value your business and how much risk you are willing to take? From my perspective, asking these questions and putting prudent controls in place is just plain good business.