On UHY’s latest Cause & Affect radio show on Atlanta Business Radio, David Barton, Managing Director at UHY Advisors, covered the topic of protecting company data. Vice President of IST Management Services Daniel Blechinger joined me to address how to navigate IT security frameworks and reporting to best protect your company’s information.
Dan and I work together in providing his company with IT security and assurance reporting, and I brought him on the show so he could share his experience with going through the compliance reporting process and how it has impacted his company.
Dan and I see many misconceptions and misunderstandings pertaining to IT security happening at multiple levels within organizations. A lot of confusion exists about what IT controls and reports are needed and what’s not. Virtually every company has to respond to inquiries about IT security whether it’s for compliance, existing customers, or new customers. In many cases you won’t even be considered a potential business partner if you don’t have certain credentials or the right compliance report available. It varies greatly for each company, but it’s critical you understand what you need.
SOC, ISO, PCI, FISMA, and NIST are just a few examples of available compliance reports. The alphabet soup of security and compliance frameworks can be overwhelming. These reports are intended to ensure that a company has the right controls in place, and that they are operating effectively. They provide independent assurance that security and operational controls are working as they were designed. Like it or not, audits are a necessary part of business operations. As an audit firm with a lot of experience with compliance reporting, we can help our clients decipher the alphabet soup.
Here are four key takeaways from the radio show I’d like to highlight:
1. Understand All the Reports. We try to educate our clients so that when someone asks for an ISO, for example, and you don’t have one, you’re informed enough to tell a potential business partner what you do have (e.g. a SOC report) and how it may satisfy what they are requesting.
I had a client in New York who asked me to create a SOC report for him. He was asking simply because one of his customers asked him. He didn’t know if he actually needed the report or not – he was reacting to a request he received. I advised him to ask his customer why he needed the report before I created it. It turned out that a new report wasn’t necessary.
Knowledge is power. Read RFIs (Requests for Information) and RFPs (Requests for Proposal). Ask an independent, third party if you don’t know which reports are the ones you need. Requirements can change every year, so you need to stay on top of what’s current.
2. Be Honest with Yourself. Acknowledge there are areas that need improvement. Certain controls may not currently be in place, but identify which those are and take action. Dan shared, “You need to shine the light on where you’re not doing so well, be willing to admit it, and then put some elbow grease behind putting things in place to make sure you’re doing it the right way.” Champion those things in your organization that need improvement and be a change maker.
3. Have a Plan. Dan noted, “You learn more from failing than you do from being successful. However, you’re not ingratiated for failing.” Put together a plan, communicate what it is that you want to happen, execute that plan and then communicate to your team what you accomplished. There may be hiccups along the way, but with a plan, you can easily get back on track.
4. Find Someone You Can Trust. Like finding a good mechanic, you need someone that is not trying to gouge you or take advantage of you. Be honest with yourself about the areas in which you are not as skilled as others, and ask for help from those in your organization or from an outside vendor.
Stay tuned for more business insights from our radio program, and listen to all our episodes here.