A company is a single entity, but it is comprised of various teams and individuals. Everyone in the company is ostensibly working toward common goals and objectives, but the perspectives and priorities can vary—and sometimes overlap or conflict—from one department to the next, especially when it comes to cybersecurity and compliance. A new report sponsored by Authentic8 highlights some of the challenges that companies in financial services face and illustrates why it is important to coordinate efforts across the organizations to be effective.
The report—Surprising Disconnect Over Compliance and Secure Web Use at Financial Firms—was compiled based on results from a survey of IT managers, legal managers, and compliance officers from financial services companies and law firms with clients in the financial services industry. A total of 163 respondents who identified themselves as being personally involved in setting policies and procedures for managing security of IT operations and compliance for their organizations took part in the survey.
Disconnect Between Teams
The results of the survey are enlightening. They aren’t surprising, really, when you think about it, but remarkable, nonetheless. One of the primary findings of the survey is that different teams view both the problem and the potential solutions through a skewed lens. It’s a variation on the old “When all you have is a hammer, everything looks like a nail” philosophy.
IT, Legal, and Compliance all recognize that cybersecurity and compliance are important, but they don’t necessarily agree on which risks or tasks are most urgent. Michael Osterman, president of consulting firm Osterman Research (which was not involved in the actual survey), explains in the report, “They understand that they look at things differently, but they don’t truly appreciate the issues that the other departments face. Compliance doesn’t realize how difficult it is for IT to get things up and running, and how many users are doing dumb things that put the company’s data at risk.”
According to the survey, compliance teams prefer to emphasize reducing malware incidents and limiting access to social media sites by employees in order to close security and compliance gaps. Meanwhile, the legal team is more interested in addressing risk from web browsing and implementing data loss prevention policies, and the IT departments seem to suffer from tunnel vision and focus on point solutions and traditional perimeter defenses.
Scott Petry, co-founder and CEO of web isolation pioneer Authentic8, pointed out that financial services firms tend to have some of the best-funded IT departments of any industry, but that—in and of itself—doesn’t necessarily result in better cybersecurity. He shared, “What’s perplexing to me, with data breaches and privacy violations at an all-time high, is how deep the divide still runs between IT, compliance and legal professionals in many firms, according to these findings.”
Coordinating and Streamlining Cybersecurity and Compliance
It is untenable for an organization to maintain effective cybersecurity and compliance when the teams involved in achieving that goal are using their own playbooks and working toward different objectives. It is essential to have everyone rowing in the same direction, so to speak—especially for smaller organizations with few IT and cybersecurity resources to work with.
Michele DeStefano, a law professor and co-founder and co-editor of the Compliance Elliance Journal, cautions, “When you have three different groups solving for different problems, that’s when you find gaps.”
One of the recommendations in the report is for financial firms to move toward a flatter organizational structure—at least as it relates to IT, Legal, and Compliance. DeStefano stresses, “Compliance shouldn’t be separate from legal, because then you are separating the why you’re doing something from the what we’re doing and how we’re doing it.”
Regardless of how the organization is structured or whether any changes are made to align the IT, Legal, and Compliance teams, they need to cooperate with one another and coordinate their efforts. These three teams should work together to identify risks and establish priorities—each providing their unique perspectives and concerns and discussing between them to come to a consensus.
Effective cybersecurity and compliance are challenging enough without adding internal chaos and conflict. The different teams within the organization all want what’s best for the company and to help the business reach its goals and objectives, so it makes sense for them to find ways to cooperate and coordinate their efforts to streamline and improve security.