The need to ensure compliance with regulations should no longer be the primary consideration of CIOs when planning IT risk and security measures, according to Gartner, Inc. Gartner said compliance is an outcome of a well-run risk management program and should not dominate CIOs' decision making.
“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders,” said John A. Wheeler, research director at Gartner. “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their organizations.”
Risk leaders evaluate anticipated compliance risks by tracking key regulatory and business changes. They then create a plan to address compliance requirements in a strategic and proactive manner that improves resilience and influences their business's success.
Mr. Wheeler added that, too often, organizations still treat compliance activities as a checkbox exercise, with little regard for the related risks they are intended to address. “Organizations must change this reactive, check-the-box mindset and start viewing compliance as a risk,” said Mr. Wheeler.
In this way, organizations are relying more on their own risk assessments to guide their implementation of controls rather than the "classic" compliance approach of implementing mandated controls regardless of the anticipated risk severity or impact. “If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” added Mr. Wheeler.
Given today's proliferation of regulatory mandates, it is challenging for organizations to develop a more forward-looking, adaptive approach. CIOs are often distracted by their efforts to keep up with specific regulations. This needs to stop. “They must create a formal and defensible program of controls based on the specific situation and risks unique to their business,” said Mr. Wheeler. “The rules and laws should then be mapped into the controls that have been proactively selected, and a defensible case should be made that the laws are being appropriately addressed.”
When treated in this manner, compliance becomes simply another category of risk that is addressed as an exercise in control mapping and defensibility. CIOs should work with their security and risk management teams to build a formal program that can adapt to the changing landscape of regulatory requirements and that protects the organization from anticipated risks.
More detailed analysis is available in "Compliance Is No Longer a Primary Driver for IT Risk and Security," a report available on Gartner's website at http://www.gartner.com/document/2556515?ref=QuickSearch&sthkw=Compliance%20Is%20No%20Longer%20a%20Primary%20Driver%20for%20IT%20Risk%20and%20Security
Gartner analysts will discuss compliance and regulation issues at the Gartner Security & Risk Management Summit 2013, to be held from August 19-20 in Sydney, Australia, and September 18-19 in London. Details on the Australian event are at http://www.gartner.com/technology/summits/apac/security/. More information on the U.K. event is at http://www.gartner.com/technology/summits/emea/security/.
Members of the media can register for press passes to the Summits by contacting susan.moore@gartner.com (Sydney) or rob.vandermeulen@gartner.com (London).
Information from both Gartner Security & Risk Management Summits will be shared on Twitter at http://twitter.com/Gartner_inc using #GartnerSEC.
About the Gartner Security & Risk Summit 2013
Senior executives want information security and risk management to be more predictable and manageable. However, in an uncertain environment defined by disruptive technology trends, it's a challenge to anticipate the future. At the Summit, Gartner analysts will help delegates run, grow and transform security programs that account for the most recent technologies, including the cloud and mobile devices, and related privacy issues. They will also advise on how to measure and manage risk, and how to comply with global rules, regulations and laws about financial transactions and privacy.
About Gartner
Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is a valuable partner in more than 13,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 5,500 associates, including 1,402 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.
“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders,” said John A. Wheeler, research director at Gartner. “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their organizations.”
Risk leaders evaluate anticipated compliance risks by tracking key regulatory and business changes. They then create a plan to address compliance requirements in a strategic and proactive manner that improves resilience and influences their business's success.
Mr. Wheeler added that, too often, organizations still treat compliance activities as a checkbox exercise, with little regard for the related risks they are intended to address. “Organizations must change this reactive, check-the-box mindset and start viewing compliance as a risk,” said Mr. Wheeler.
In this way, organizations are relying more on their own risk assessments to guide their implementation of controls rather than the "classic" compliance approach of implementing mandated controls regardless of the anticipated risk severity or impact. “If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” added Mr. Wheeler.
Given today's proliferation of regulatory mandates, it is challenging for organizations to develop a more forward-looking, adaptive approach. CIOs are often distracted by their efforts to keep up with specific regulations. This needs to stop. “They must create a formal and defensible program of controls based on the specific situation and risks unique to their business,” said Mr. Wheeler. “The rules and laws should then be mapped into the controls that have been proactively selected, and a defensible case should be made that the laws are being appropriately addressed.”
When treated in this manner, compliance becomes simply another category of risk that is addressed as an exercise in control mapping and defensibility. CIOs should work with their security and risk management teams to build a formal program that can adapt to the changing landscape of regulatory requirements and that protects the organization from anticipated risks.
More detailed analysis is available in "Compliance Is No Longer a Primary Driver for IT Risk and Security," a report available on Gartner's website at http://www.gartner.com/document/2556515?ref=QuickSearch&sthkw=Compliance%20Is%20No%20Longer%20a%20Primary%20Driver%20for%20IT%20Risk%20and%20Security
Gartner analysts will discuss compliance and regulation issues at the Gartner Security & Risk Management Summit 2013, to be held from August 19-20 in Sydney, Australia, and September 18-19 in London. Details on the Australian event are at http://www.gartner.com/technology/summits/apac/security/. More information on the U.K. event is at http://www.gartner.com/technology/summits/emea/security/.
Members of the media can register for press passes to the Summits by contacting susan.moore@gartner.com (Sydney) or rob.vandermeulen@gartner.com (London).
Information from both Gartner Security & Risk Management Summits will be shared on Twitter at http://twitter.com/Gartner_inc using #GartnerSEC.
About the Gartner Security & Risk Summit 2013
Senior executives want information security and risk management to be more predictable and manageable. However, in an uncertain environment defined by disruptive technology trends, it's a challenge to anticipate the future. At the Summit, Gartner analysts will help delegates run, grow and transform security programs that account for the most recent technologies, including the cloud and mobile devices, and related privacy issues. They will also advise on how to measure and manage risk, and how to comply with global rules, regulations and laws about financial transactions and privacy.
About Gartner
Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is a valuable partner in more than 13,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 5,500 associates, including 1,402 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.
