[This article is based on an interactive session at a Splunk conference comprising 30 EMEA customers in leadership roles in security, IT and other technical teams.]
The joke goes that when scientists were dividing up experiments, they took all the boring ones and put them in a group called “Physics.” Similarly, if I were to divide up a security leader’s role, and take all their most hated tasks, I’d probably put them in the group called “Compliance.”
Like physics, compliance can be described as “awful”, “essential” and “terrifying” — and indeed it was, by our EMEA leaders. Thankfully, the discussion went further than that — here’s a summary of their perspectives into three categories (none of them awful, essential, or terrifying):
- Laggers: The obvious, but reassuring to know
- Followers: The suspected, now confirmed by peers
- Leaders: The visionary/previously unknown, illuminated by insightful conversations
Let’s dig into three insights from each of these three groups and see where you align.
But first, which group are you in? Is your organisation setting standards and policies, following those who do, or reluctantly dragging its feet far behind its peers? The organisations who will win are leveraging compliance as:
- an opportunity for change (not a resource-drain)
- a great business case (not more paperwork)
- a market differentiator (not a hamstringing tick-box exercise).
A) Laggers: the obvious but reassuring to know
Budget: Never waste a good piece of legislation; our EMEA leaders agreed that regulation “gives budget and capex, with a ready-made business case.” Sounds positive, and likely not news to you, as almost all said they had leveraged legislation in budget discussions.
Difficulty: Compliance “can be just a paper exercise,” or a truly complex beast, even if “it gets easier each time.” Complicating factors include “fracturing between countries, including issues of data sovereignty, jurisdiction, and geographic complexity.” Leaders said that these factors can affect their decisions on how much they can use cloud and third-party hosting services.
GDPR: Many pieces of legislation got name-checked in the discussion, but can you believe that GDPR was enacted over 6 years ago? Yet some organisations still deal with it begrudgingly, reluctantly addressing it when they have to. In our group, GDPR was described as “good for citizens, but restrictive for the business and, as it's open to interpretation, the effects can be variable and uncertain.”
B) Followers: The suspected, now confirmed by peers
Compliance as a differentiator: EMEA leaders see voluntary certification as a way to “open markets, be a driver for business and bring money,” as well as recognising that sometimes certification “is just needed to be a supplier.” Speaking to that mindset, one leader said that “businesses can take the minimal approach to avoid conflict with legislation or use it as a selling opportunity.” Another said, legal efforts include patents and Intellectual Property (IP) protection, which only adds to the argument that talking to your legal teams can lead to market differentiators.
Timing: “It’s tough to know when to invest time and effort into compliance,” said one leader. “Do we lead, follow, or wait?” We see that question raised often, and the answer usually depends on your innovation appetite and mindset towards compliance. Getting a headstart is rarely a bad thing and gives you the chance to set or influence the best practice — but being slightly later allows you to learn from the wins and mistakes of others. It’s a delicate balancing act.
Everyone’s responsibility: As with security, the responsibility for compliance is evolving so that it’s “not only with the legal team — the whole company shares it.” But, as several noted, an unresponsive Data Officer or Legal department can block you (in one case, for nine months and counting). Working out a shared responsibility model between legal teams and your departments can shortcut these frustrations and costly delays.
C) Leaders: The visionary/previously unknown, illuminated by insightful conversations
The opposite of ticking boxes: Upskilling legal teams allows them to ask better questions and challenge, becoming a meaningful part of the technical policy design, rather than merely an add-on to tick a box at the end of the process. Upskilling is crucial to unlocking this; as one leader said, “The gap between tech and legal leads to a lack of understanding, which leads to lack of challenge.” Another agreed that enablement was key, and their approach was to “give them tools and searches to self-serve, and shorten the loop.” On the plus side, this is an empowering approach and goes far beyond transactional conversations to tick boxes. Of course, extra challenges can also block you, but probably only where they should.
One leader noted this enablement of legal teams plays into their idea of “defensible compliance” — where you “need to show reasonable evidence and efforts were made to meet obligations.” Be honest and ask yourself: how defensible are your compliance efforts by this definition? What can you do to improve the current status?
Ecosystem effect: It’s not only about you. Entire governments use legislation to create uplifts in service, security, or quality of technical output. This effect on the supply chain is not only at a national level either, as a single organisation can uplift many others in its supply chain with new requirements. Get ready to ride the wave.
Innovation works in compliance too: Compliance is paradoxically both part of business-as-usual, and also an innovative space. Patents are a great example; innovative spaces, yet IP protection is “part of risk management.” One attendee said, “Legislation can work against agility without a 'magician' — someone who can interpret and help meet business needs.” Yet another shining example of the need for innovation in compliance.
Summary
So, which group are you in? Between our EMEA Leaders, we had both lovers and haters of compliance, with both groups including people who had reluctantly accepted their fate as leaders in this area. I’ve made, improved, and interpreted a lot of technical legislation in my time, and my take is to be relentlessly optimistic (because you have to do the same work, whether you love it or hate it) and utilise the positives. For European readers, NIS2 is probably your next opportunity to define your approach to regulation — try loving it!
Compliance gives you market differentiators and budget, and can provide useful challenges to established methods. No doubt, it can slow you down and get difficult — but when have technologists ever shied away from complex multi-faceted problems? In many ways, compliance provides a space for innovation and new thorny problems that suit the skillsets of technical leaders down to the ground. Don’t get left behind, and bring your policy teams along with you.
Stay ahead with the latest insights and trends from industry leaders. Subscribe to our Perspectives newsletter and receive monthly updates packed with valuable information.
