Hybrid Cloud

What is compliance and why is it important?

Share this post:

In conversation with Frank Oestergaard – Part 1 out of 2

Frank Oestergaard is a digital visionary and an experienced leader. He is the Director for Executive Customer Success at IBM Nordic. Frank has a wealth of experience with working with businesses across Nordic and Europe, enabling their business and digital journeys by recently working with Hybrid Cloud and AI. 

Frank is passionate about leveraging AI to improve business services, experiences and the outcome, with a great admiration for ethics, transparency and more. Frank is always willing to share his many years of experience and the following interview will cover the topic of compliance for businesses: what it is about, what risks to face and how to combat these. 

You once mentioned that compliance is like a spider web, could you please explain this?

Let me start by explaining compliance and why there is a lot of focus on it.  When you build IT systems and deal with data, you will know there are a lot of existing regulations and new legislations, as well as standards, being rolled out in different industries. It comes down to two things:

  1. How you are managing your risk 
  2. How you deal with risk exposures

Risk can be many things in this area, but fundamentally it involves how you are dealing with the risk of protecting the data of the people that you are managing or handling – and then it is about control, i.e. how are you implementing control and which controls are needed, depending on each situation. Therefore, I describe compliance as a spider’s web, as it has a lot of aspects to it. When you need to think about processes, you need to think about governance and you need to think about your strategy. Which business context are you operating in? You also need to consider this at the different layers. Meaning, is it in your infrastructure or your outsource infrastructure if you are putting it into the cloud? Are you responsible for managing that? Or is somebody doing it for you? And to what extent are they living up to the regulations or standards? Amongst it all, imagine there is a spider and it kind of comes together with a lot of different strings. But at the core, you find the data which is where the spider typically sits.

Why is compliance so important when adopting cloud?

You could say compliance has always been important. When you move in given industries, you know there has always been an element of dealing with compliance. I think the big difference is that now we are starting to take advantage of cloud. Cloud is just a representation of what I would call modern IT, where you are using new technologies like microservices, or you have containers, devOps processes that enable it to move with a much higher speed. It is therefore fulfilling the requirements of the business, and cloud is an enabler of that.  As you start increasing speed, if you are not thinking about how you do things and how you put governance in place, there is a high risk that you may overlook certain elements. Because you are moving so fast, you can expose your system, you can expose your data and you can perhaps not live up to some requirements from a security or compliance point of view – for example industry-specific or EU-specific standards. It is important as you improve the speed, that you also follow with the implementation of compliance.  To do this, you need to look at how you automate because in many situations, when you go and talk to customers, you find that some of these compliance checks are very much manual checks. For example, concerns such as where is your data stored? Are you encrypting data to the level, you should? How is your key management? If you have to do that manually, you will not be able to follow the new speed of cloud or modern IT architecture.  This leads me to why continuous compliance is so important. You are putting in controls that minimize the risk or any types of concerns surrounding your data security. 

What are the risks related to the lack of compliance?

There are a lot of risks and different flavours to risk – but let us start with the data and discuss that, because that is the core of this.  As an EU citizen, we are all familiar with GDPR.  GDPR has been around, maybe three, four years now, however we still see companies making mistakes with the way they treat data or how they control data.  There is also a regulation saying that you can only collect data when you have a purpose.  You can document when you do it and how you do it.  You need to have the ability to document how you live up to these compliance rules.  You can document how you are implementing and protecting this data, and how you are treating the data in this case.  So how am I handling security exposures or cyber threats? How am I avoiding just being accessed by somebody who has bad intentions? I need to live up to a certain standard to be allowed to collect and execute the business I am responsible for. Risk can therefore be many things.  It can be data exposures, it could be cyber threats, it can be systems not working.  It can be a system that is concentrated on a certain platform, and if that platform is put out of work, we often refer to that as hyper concentration. This is where you can essentially bring a whole business or a whole industry to a halt. To repeat, risk can come in many flavours, and as a company, you need to live up to a certain level of standards and be able to document that you fulfil these requirements.

What is your advice to overcome the available risks of lacking compliance within an industry?

I see three categories of how you can create assurance to manage risk and controls. Specifically, when you move to cloud, you can make a contract with the cloud vendor. Or you can make a contract with the person who is taking care of the IT systems on that given platform or several platforms.  That is what I often would refer to as contractual assurance. Contractual assurance is basically if I am a vendor, I swear I will live up to our agreement- but sometimes that is not good enough. Sometimes we want to have some form of operational assurance, which means to have processes that can kind of create that assurance and follow up on the platform or the provider of the infrastructure. This is often where we use third party certifications such as the European Banking Association standards. The one I fundamentally believe most often is used is operational implementation, which is when you technically create an assurance. This means you use technology to implement your compliance, and your processes around technically managing risk and control, so you cannot avoid living up to the standards. 

At IBM we have a concept called ‘keep-your-own-key’. It is not just ‘bring-your-own-key’, which is often being used, but you ‘keep your own key’. This means you have the key to the data and the system, and nobody else can access them unless they have that exact key. Technically, we can implement a solution today that ensures we are living up to risk and control.  This is what we see mature clients doing today. In my book, that is the ultimate way of creating assurance. The other thing you need to think about is the timing, because technology does not stand still. Let me give you an example of that.  If we take data today, and we are using encryption technology today, with some of the highest standards, we know that quantum will allow people to decrypt data in a certain number of years from now, because quantum is giving us a normal way of crunching. My strongest advice is therefore to use technical assurance, and then keep the timing effect in mind as well. 

Part 2 of this series will be out soon.

Find out more:

Hybrid Cloud Solutions

IBM Hyper Protect Services – Overview

Director, IBM Cloud and Cognitive Software Technical Specialists & Solutioning Nordic

More stories

Data Democratization – making data available

One of the trending buzzwords of the last years in my world is “Data Democratization”. Which this year seems to have been complemented by “Data Fabric” and “Data Mesh”. What it is really about the long-standing challenge of making data available. It is another one of these topics that often gets the reaction “How hard […]

Continue reading

How to act in the new regulation of financial sector

Our world is changing. Because of that regulators around the world are taking ambitious steps to improve the sustainability of the financial sector and guide capital towards sustainable economic activity. Especially in EU we are seeing a high level of regulations. These regulatory interventions present complex and sensitive legal challenges for financial sector firms, which […]

Continue reading

Private cloud or public cloud? New server technology offers more choice

In September, we launched the new IBM Power E1080 high-end server, for corporate use based on the  new Power10 architecture, the Power E1080. The server can – among many other things – handle a large number of applications and workloads securely, at scale and with highest availability. Going into the spring of 2022, we will […]

Continue reading