Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Compliance should not be a primary driver of IT risk and security measures: Gartner

The need to ensure compliance with regulations should no longer be the primary consideration of CIOs when planning IT risk and security measures, according to Gartner, Inc. Gartner says that compliance is an outcome of a well-run risk management programme and should not dominate CIOs' decision making.

“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders,” said John A. Wheeler, research director at Gartner. “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises.”

Risk leaders evaluate anticipated compliance risks by tracking key regulatory and business changes. They then create a plan to address compliance requirements in a strategic and proactive manner that improves resilience and influences their business's success.

Mr Wheeler added that, too often, organizations still treat compliance activities as a checkbox exercise, with little regard for the related risks they are intended to address. “Organizations must change this reactive, check-the-box mindset and start viewing compliance as a risk,” said Mr Wheeler.

In this way, organizations are relying more on their own risk assessments to guide their implementation of controls rather than the ‘classic’ compliance approach of implementing mandated controls regardless of the anticipated risk severity or impact.

“If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” added Mr Wheeler.

Given today's proliferation of regulatory mandates, it is challenging for organizations to develop a more forward-looking, adaptive approach. CIOs are often distracted by their efforts to keep up with specific regulations. This needs to stop. “They must create a formal and defensible programme of controls based on the specific situation and risks unique to their business,” said Mr Wheeler. “The rules and laws should then be mapped into the controls that have been proactively selected, and a defensible case should be made that the laws are being appropriately addressed.”

When treated in this manner, compliance becomes simply another category of risk that is addressed as an exercise in control mapping and defensibility. CIOs should work with their security and risk management teams to build a formal programme that can adapt to the changing landscape of regulatory requirements and that protects the organization from anticipated risks.

More detailed analysis is available in ‘Compliance Is No Longer a Primary Driver for IT Risk and Security,’ a report available on Gartner's web site at http://www.gartner.com/document/2556515

•Date: 13th August 2013 • World •Type: Article • Topic: ICT continuity

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here