A Prescription for Dealing with Compliance Fatigue
When a client and a colleague both talk about the same malady, it’s apparent that some prescription is in order. The malady in question, and that we have observed recently among higher education information technology leaders, is that of compliance.
Complying with requirements around information security and privacy practices can be an almost overwhelming burden. How can IT staff go about staying abreast of and managing compliance efforts, particularly when the requirements are continually changing? Added to that is the challenge of having multiple, sometimes overlapping requirements with which we must comply.
One CIO summed it up with the term “compliance fatigue” to describe the seemingly unending stream of efforts to keep ahead of various compliance requirements.
How, then, can we defray the symptoms of compliance fatigue?
First, let’s consider some of the compliance requirements impacting higher education:
Each of these requirements has specific standards with which to comply. Some of the requirements, such as HIPAA, may only impact a small portion of operations at an institution, while others have broad impact across the campus.
Trying to keep up with and respond to changes in the requirements and standards can become a monumental task which, when combined with day-to-day responsibilities, can have a Chief Security Officer looking like a one-armed paper hanger.
Let’s take a step back. If we accept the situation for what it is and acknowledge that change will continue to evolve without pause, we are left with a choice: Do we treat the symptom or the disease?
Look back at the list of compliance requirements above. If we invert the list, starting first by addressing “Security and Privacy Best Practices,” the world of compliance becomes more rational. No longer do we look at compliance as a game where our goal is to meet the “minimum” requirement. Rather, by dealing with best practices, our focus becomes one of giving thought to, crafting, and nurturing our security practices in a way that serves the institution, students, and faculty first. By following established best practices, it also helps to keep us in compliance with the underlying regulations.
This shift requires a thoughtful and disciplined approach. It means carefully considering the needs of your own institution first, and then structuring practices and management activities to address those needs. The advantage is that this encourages a fundamental shift from addressing compliance requirements in a reactive manner to proactively addressing your institution’s information security and privacy needs. It allows your team to consider what practices are right for your operations and environment, the size and capability of your staff, and the resources available. The cost is that it requires planning and commitment to security, privacy, and information management.
The remedy, then, is adopting a proactive approach to managing information security and privacy practices that are based on the needs of your institution.
Clint Davies, CDP is a Principal with the firm of Berry, Dunn, McNeil & Parker. He leads the firm’s Management and Information Technology Advisory Practice and is in his third decade of serving clients in higher education and healthcare.