What is compliance and why is it important?

Share this post:

In conversation with Frank Oestergaard – Part 1 out of 2

Frank Oestergaard is a digital visionary and an experienced leader. He is the Director for Executive Customer Success at IBM Nordic. Frank has a wealth of experience with working with businesses across Nordic and Europe, enabling their business and digital journeys by recently working with Hybrid Cloud and AI. 

Frank is passionate about leveraging AI to improve business services, experiences and the outcome, with a great admiration for ethics, transparency and more. Frank is always willing to share his many years of experience and the following interview will cover the topic of compliance for businesses: what it is about, what risks to face and how to combat these. 

You once mentioned that compliance is like a spider web, could you please explain this?

Let me start by explaining compliance and why there is a lot of focus on it.  When you build IT systems and deal with data, you will know there are a lot of existing regulations and new legislations, as well as standards, being rolled out in different industries. It comes down to two things:

1. How you are managing your risk 
2. How you deal with risk exposures

Risk can be many things in this area, but fundamentally it involves how you are dealing with the risk of protecting the data of the people that you are managing or handling – and then it is about control, i.e. how are you implementing control and which controls are needed, depending on each situation. Therefore, I describe compliance as a spider’s web, as it has a lot of aspects to it. When you need to think about processes, you need to think about governance and you need to think about your strategy. Which business context are you operating in? You also need to consider this at the different layers. Meaning, is it in your infrastructure or your outsource infrastructure if you are putting it into the cloud? Are you responsible for managing that? Or is somebody doing it for you? And to what extent are they living up to the regulations or standards? Amongst it all, imagine there is a spider and it kind of comes together with a lot of different strings. But at the core, you find the data which is where the spider typically sits.

Why is compliance so important when adopting cloud?

You could say compliance has always been important. When you move in given industries, you know there has always been an element of dealing with compliance. I think the big difference is that now we are starting to take advantage of cloud. Cloud is just a representation of what I would call modern IT, where you are using new technologies like microservices, or you have containers, devOps processes that enable it to move with a much higher speed. It is therefore fulfilling the requirements of the business, and cloud is an enabler of that.  As you start increasing speed, if you are not thinking about how you do things and how you put governance in place, there is a high risk that you may overlook certain elements. Because you are moving so fast, you can expose your system, you can expose your data and you can perhaps not live up to some requirements from a security or compliance point of view – for example industry-specific or EU-specific standards. It is important as you improve the speed, that you also follow with the implementation of compliance.  To do this, you need to look at how you automate because in many situations, when you go and talk to customers, you find that some of these compliance checks are very much manual checks. For example, concerns such as where is your data stored? Are you encrypting data to the level, you should? How is your key management? If you have to do that manually, you will not be able to follow the new speed of cloud or modern IT architecture.  This leads me to why continuous compliance is so important. You are putting in controls that minimize the risk or any types of concerns surrounding your data security. 

What are the risks related to the lack of compliance?

There are a lot of risks and different flavours to risk – but let us start with the data and discuss that, because that is the core of this.  As an EU citizen, we are all familiar with GDPR.  GDPR has been around, maybe three, four years now, however we still see companies making mistakes with the way they treat data or how they control data.  There is also a regulation saying that you can only collect data when you have a purpose.  You can document when you do it and how you do it.  You need to have the ability to document how you live up to these compliance rules.  You can document how you are implementing and protecting this data, and how you are treating the data in this case.  So how am I handling security exposures or cyber threats? How am I avoiding just being accessed by somebody who has bad intentions? I need to live up to a certain standard to be allowed to collect and execute the business I am responsible for. Risk can therefore be many things.  It can be data exposures, it could be cyber threats, it can be systems not working.  It can be a system that is concentrated on a certain platform, and if that platform is put out of work, we often refer to that as hyper concentration. This is where you can essentially bring a whole business or a whole industry to a halt. To repeat, risk can come in many flavours, and as a company, you need to live up to a certain level of standards and be able to document that you fulfil these requirements.

What is your advice to overcome the available risks of lacking compliance within an industry?

I see three categories of how you can create assurance to manage risk and controls. Specifically, when you move to cloud, you can make a contract with the cloud vendor. Or you can make a contract with the person who is taking care of the IT systems on that given platform or several platforms.  That is what I often would refer to as contractual assurance. Contractual assurance is basically if I am a vendor, I swear I will live up to our agreement- but sometimes that is not good enough. Sometimes we want to have some form of operational assurance, which means to have processes that can kind of create that assurance and follow up on the platform or the provider of the infrastructure. This is often where we use third party certifications such as the European Banking Association standards. The one I fundamentally believe most often is used is operational implementation, which is when you technically create an assurance. This means you use technology to implement your compliance, and your processes around technically managing risk and control, so you cannot avoid living up to the standards. 

At IBM we have a concept called ‘keep-your-own-key’. It is not just ‘bring-your-own-key’, which is often being used, but you ‘keep your own key’. This means you have the key to the data and the system, and nobody else can access them unless they have that exact key. Technically, we can implement a solution today that ensures we are living up to risk and control.  This is what we see mature clients doing today. In my book, that is the ultimate way of creating assurance. The other thing you need to think about is the timing, because technology does not stand still. Let me give you an example of that.  If we take data today, and we are using encryption technology today, with some of the highest standards, we know that quantum will allow people to decrypt data in a certain number of years from now, because quantum is giving us a normal way of crunching. My strongest advice is therefore to use technical assurance, and then keep the timing effect in mind as well. 

Part 2 of this series will be out soon.

Find out more:

Hybrid Cloud Solutions

IBM Hyper Protect Services – Overview