In business, though, it’s not great when different departments fail to see eye to eye, especially if one group devalues the other, even ever so slightly. Take Compliance and Security people. Compliance and Security professionals often come from different backgrounds, with different skill sets. And while definitely not polar opposites like Oscar and Felix, and while both groups perform essential work for the business, it sure does seem like Security people often fail to appreciate the value of the Compliance team.
How to Get the Respect Your Team Deserves
So what can you do to change the perception? It’s a basic tenet of human relations: You can’t change other people, even when their perception is misled. If you want to get more respect, the quest starts by considering how you can bring more perceived value.
Here are a few suggestions to start you off:
Get More Technical
The first way to get more respect is by knowing more about what the Security people know, i.e., get more technical. If you want to have a meaningful conversation with the Security team about a deeply technical area, you need to understand it well. Pick a few areas in which to become more of an expert, choosing areas germane to both Compliance and Security. A suggested area: Identity Access Management (IAM). You’ll go a long way toward earning respect by speaking the same language Security speaks about IAM and you’ll get Security to care about it in the same way you do.
You probably won’t be as technically knowledgeable as Security is in every area, but getting more technical in specific areas is a good start. You’ll have more productive conversations and a better understanding of the actual risks, beyond mere controls and paperwork. This greater understanding will allow you to discuss a huge area of concern to your business—how it’s securing assets. Both Security and Compliance care about this, so if you can both share the data that matters, the better it’ll be for your business.
Lean in and Help
Security professionals are passionate about drawing attention to pressing issues. Compliance pros, on the other hand, excel in bringing order and regimentation, approaching problems in an analytical way. So here’s a chance for symbiosis, wherein Compliance can help structure how Security approaches problems. For example, look at vulnerability management. Both Compliance and Security professionals are concerned, but from different perspectives. Compliance could offer to set up a structure that ensures scans run on a regular basis and that the control works the way it should. That’s one way Compliance can become a valuable part in increasing the company’s overall security posture.
Make Security Look Good in Front of the Board
As the group often tasked with risk management, the Compliance team can help Security report results in a way that’ll be more meaningful to the board in terms of showing relevance to the business—the impact of their findings, the alternatives for remediation, etc.
As one example: Compliance maintains a risk register, a repository of information about known risks. A Security team is generally less likely to have an up-to-date, comprehensive risk register. When it comes to presenting to the Board, Security’s technical expertise may nevertheless fail to prepare them for answering the board’s questions about how the company is scoring risks and how scores have changed over time. By sharing risk information with Security, you can help Security prepare for board-level presentations.
Leverage Automation to Spot Issues
Putting out fires is exciting. It’s a whole lot less exciting to keep fires from happening in the first place. But in this sense, you can help Security focus on risks that are unexciting, but still threaten the company.
One way to do this is with automation to make handling necessary but rote work easier and faster. Security teams are familiar with automated alerting tools, but may be less familiar with using automation to replace everyday manual work. Compliance can help Security automate high effort/low value areas, so Security can devote efforts where they matter more.
Here’s another way you can help Security; look at vulnerability management tools, which periodically produce vulnerability lists in order of priority. Going down that list on a regular basis and vulnerabilities is boring and time-consuming, but for the company’s safety, and from a Compliance perspective, it’s essential. The problem is when lists get created but vulnerabilities don’t actually get fixed, leaving businesses open to breaches. If, for example, the Compliance team uses automation so that the list of priorities show up on the Security team’s dashboard every day, without Security having to pull the list, it can encourage Security to focus on known vulnerabilities, even when there are other lower-priority “breaking news” threats that would otherwise draw their attention away. So Compliance can use automation to help Security do its job.
Have a Heart-to-Heart with Security
As the Compliance leader, you can make sure Security understands the importance of your team’s work. Explain to Security that when Compliance does its job well, security is strengthened. For example, when it comes to IAM, Security may assume that, based on controls, people truly have only the access permissions they’ve been granted. But you know the nitty-gritty details. You know, because every quarter you review everyone’s access and will see when someone has access permissions beyond what they should have. In this way, your team is monitoring whether essential security controls are actually working.
You’re an All-Star Team – Let Security Know It
Security and Compliance might be kind of an odd couple (let’s not say who’s Felix and who’s Oscar), but one thing is pretty clear – you can’t live without each other. Using our suggestions, you can help your team become more valuable to, and valued by, the Security team and thus, the entire organization.