false

Perspectives Home / EXECUTIVE STRATEGY

EMEA Leaders’ Perspectives on: Compliance

Thirty leaders from security and IT share the challenges and opportunities of compliance.

profile view of corporate meeting

[This article is based on an interactive session at a Splunk conference comprising 30 EMEA customers in leadership roles in security, IT and other technical teams.]


The joke goes that when scientists were dividing up experiments, they took all the boring ones and put them in a group called “Physics.” Similarly, if I were to divide up a security leader’s role, and take all their most hated tasks, I’d probably put them in the group called “Compliance.”


Like physics, compliance can be described as “awful”, “essential” and “terrifying” — and indeed it was, by our EMEA leaders. Thankfully, the discussion went further than that — here’s a summary of their perspectives into three categories (none of them awful, essential, or terrifying):


  • Laggers: The obvious, but reassuring to know
  • Followers: The suspected, now confirmed by peers
  • Leaders: The visionary/previously unknown, illuminated by insightful conversations


Let’s dig into three insights from each of these three groups and see where you align.


But first, which group are you in? Is your organisation setting standards and policies, following those who do, or reluctantly dragging its feet far behind its peers? The organisations who will win are leveraging compliance as:


  • an opportunity for change (not a resource-drain)
  • a great business case (not more paperwork)
  • a market differentiator (not a hamstringing tick-box exercise).


A) Laggers: the obvious but reassuring to know


Budget: Never waste a good piece of legislation; our EMEA leaders agreed that regulation “gives budget and capex, with a ready-made business case.” Sounds positive, and likely not news to you, as almost all said they had leveraged legislation in budget discussions.


Difficulty: Compliance “can be just a paper exercise,” or a truly complex beast, even if “it gets easier each time.” Complicating factors include “fracturing between countries, including issues of data sovereignty, jurisdiction, and geographic complexity.” Leaders said that these factors can affect their decisions on how much they can use cloud and third-party hosting services. 


GDPR: Many pieces of legislation got name-checked in the discussion, but can you believe that GDPR was enacted over 6 years ago? Yet some organisations still deal with it begrudgingly, reluctantly addressing it when they have to. In our group, GDPR was described as “good for citizens, but restrictive for the business and, as it's open to interpretation, the effects can be variable and uncertain.”  


B) Followers: The suspected, now confirmed by peers


Compliance as a differentiator: EMEA leaders see voluntary certification as a way to “open markets, be a driver for business and bring money,” as well as recognising that sometimes certification “is just needed to be a supplier.” Speaking to that mindset, one leader said that “businesses can take the minimal approach to avoid conflict with legislation or use it as a selling opportunity.” Another said, legal efforts include patents and Intellectual Property (IP) protection, which only adds to the argument that talking to your legal teams can lead to market differentiators. 


Timing: “It’s tough to know when to invest time and effort into compliance,” said one leader. “Do we lead, follow, or wait?” We see that question raised often, and the answer usually depends on your innovation appetite and mindset towards compliance. Getting a headstart is rarely a bad thing and gives you the chance to set or influence the best practice — but being slightly later allows you to learn from the wins and mistakes of others. It’s a delicate balancing act.


Everyone’s responsibility: As with security, the responsibility for compliance is evolving so that it’s “not only with the legal team — the whole company shares it.” But, as several noted, an unresponsive Data Officer or Legal department can block you (in one case, for nine months and counting). Working out a shared responsibility model between legal teams and your departments can shortcut these frustrations and costly delays.


C) Leaders: The visionary/previously unknown, illuminated by insightful conversations


The opposite of ticking boxes: Upskilling legal teams allows them to ask better questions and challenge, becoming a meaningful part of the technical policy design, rather than merely an add-on to tick a box at the end of the process. Upskilling is crucial to unlocking this; as one leader said, “The gap between tech and legal leads to a lack of understanding, which leads to lack of challenge.” Another agreed that enablement was key, and their approach was to “give them tools and searches to self-serve, and shorten the loop.” On the plus side, this is an empowering approach and goes far beyond transactional conversations to tick boxes. Of course, extra challenges can also block you, but probably only where they should. 


One leader noted this enablement of legal teams plays into their idea of “defensible compliance” — where you “need to show reasonable evidence and efforts were made to meet obligations.” Be honest and ask yourself: how defensible are your compliance efforts by this definition? What can you do to improve the current status?


Ecosystem effect: It’s not only about you. Entire governments use legislation to create uplifts in service, security, or quality of technical output. This effect on the supply chain is not only at a national level either, as a single organisation can uplift many others in its supply chain with new requirements. Get ready to ride the wave.


Innovation works in compliance too: Compliance is paradoxically both part of business-as-usual, and also an innovative space. Patents are a great example; innovative spaces, yet IP protection is “part of risk management.” One attendee said, “Legislation can work against agility without a 'magician' — someone who can interpret and help meet business needs.” Yet another shining example of the need for innovation in compliance. 


Summary


So, which group are you in? Between our EMEA Leaders, we had both lovers and haters of compliance, with both groups including people who had reluctantly accepted their fate as leaders in this area. I’ve made, improved, and interpreted a lot of technical legislation in my time, and my take is to be relentlessly optimistic (because you have to do the same work, whether you love it or hate it) and utilise the positives. For European readers, NIS2 is probably your next opportunity to define your approach to regulation — try loving it!


Compliance gives you market differentiators and budget, and can provide useful challenges to established methods. No doubt, it can slow you down and get difficult — but when have technologists ever shied away from complex multi-faceted problems? In many ways, compliance provides a space for innovation and new thorny problems that suit the skillsets of technical leaders down to the ground. Don’t get left behind, and bring your policy teams along with you.


Stay ahead with the latest insights and trends from industry leaders. Subscribe to our Perspectives newsletter and receive monthly updates packed with valuable information.

Read more Perspectives by Splunk

JUNE 12, 2024 • 3 minute read

Uncovering Downtime’s $400B Impact


Nothing is certain in life except death, taxes, and downtime.

May 9, 2024 • 5 minute read

Gain, Sustain, or Wait? Where Does AI Fit in Your Business Strategy?


A year and a half after the release of ChatGPT, AI that can mimic human behavior has never felt closer. These advances have left many leaders wondering how they can effectively harness the benefits of AI for their organizations. Here’s how.

February 29, 2024 • 30 minute watch

Driving a Culture of Agility and Curiosity: Strategic Approaches From McLaren F1’s COO


How to encourage innovation and drive resilience across your operations, from McLaren F1’s COO.

Get more perspectives from security, IT and engineering leaders delivered straight to your inbox.