By Russell Pelham, Presales Engineer
With today’s always-on, nonstop pace of business, organizations face no shortage of high priority projects coming from every direction that demand their attention. This is especially true of IT security and compliance teams, who must keep up with constantly evolving threats and the ever-changing landscape of national and global regulations.
Having to keep up with so many initiatives makes it easy for lower priority items to slip through the cracks and fall off the radar of employees all the way up the chain. Among the many reasons security and compliance initiatives are delayed, many companies simply find it extremely difficult to overcome the inertia of procrastination, and once compliance projects have been deprioritized, it’s hard for them to make their way back onto the to-do list.
Common Reasons Companies Avoid Investing in Cybersecurity
The security of your company is too important to postpone, and begs the attention from all levels of the organization. In order to get on top of the issue, however, it’s important to understand the drivers keeping these projects from coming to fruition. Among those putting off true compliance, we’ve found the majority of companies have delayed investing in a compliance program for at least one of the following reasons:
1. The Company Lacks Internal Expertise:
Often, executives know that a compliance program needs to be put into place, but they lack the knowledge surrounding what is necessary to implement and maintain a complete plan. Therefore, compliance teams may not receive the direction they require regarding these initiatives, and the leaders are ok with hearing: “We are working on it,” for an extended duration.
A fitting example of this occurring are organizations looking to implement disaster recovery plans. The company knows they need to implement one, but without expertise on the team, little progress is made. Then a real incident, like Hurricane Sandy, hits and it is revealed that the plan insufficiently protects the company from being exposed to unnecessary risk. The impact on the organization is very real in these situations.
2. The Company Is Trying to Cut Costs: The cost of compliance is not money people really want to spend. Compliance doesn’t necessarily create functionality, and it often looks more like a money pit than a value driver for the business. Given the fact that many teams must demonstrate their ability to prove ROI on yearly expenditures and since risk reduction is difficult to put a monetary value on, compliance projects are the first to get the axe when it comes to building budgets.
3. The Odds of a Data Breach Appear Low: Some companies are simply playing the odds, hoping a data breach doesn’t happen to them. “There are so many better targets out there, the odds of us being hit by an attack that results in a breach is minimal. ” In actuality, the odds of facing a data breach are has high as 1 in 4, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. Your company’s livelihood isn’t worth the gamble.
4. Compliance Projects Can Be Complex: Finding the right solution to mitigate risk can be challenging and it is rare to find a single solution that covers all the aspects of the compliance initiative. Layering on many different technologies is not only proving ineffective, it is overly complex and expensive. Managers may find themselves thinking, and rightly so, “For every point solution I deploy, I have to hire/train someone knowledgeable in that solution. If I must do that for multiple disparate solutions, my personnel costs are going to skyrocket.” It can also be difficult to find a solution that solves more than one issue. The Pause and Resume method of call recording, for example, was once suggested as a solution to enable PCI DSS compliance, but it only removes the call recording from scope and is often unreliable.
5. The Urgent Drowns Out the Important: In business, there’s no question about who the real boss is at the end of the day: the customer. When customers demand a new product or feature, these projects often take precedence over the internal facing ones which the customer never sees. After all, no one gets a reward for not having a data breach, they just get punished harshly once it happens.
While customer demands tend to be urgent, it’s essential to make sure that they don’t also drown out the important projects, like compliance and security. While you likely won’t win any new customers by avoiding a security breach, you surely will lose some if one occurs.
Organizations that put off investing in proper security and compliance programs are ripe for exploitation by cybercriminals. Breaches do occur and the consequences are real. The financial and operational impact of a security breach including; fines, remediation costs and the loss of customer confidence are all compelling reasons to develop and execute comprehensive compliance initiatives.
Best Practices for Reducing the Risk of a Data Breach in Your Own Contact Center
While we encounter a large number of organizations that face these challenges, we also have the good fortune to work with many companies that are able to overcome these issues. CSOs, VPs, QSAs, ISAs, compliance officers, COOs and call center operation managers can all make a compelling argument for building solid, productive, even revenue-enhancing compliance programs that enable the success of the organization.
Here are some of the best practices we have found to deliver robust compliance programs and some convincing arguments that can help your cause.
1. Share Your Vision for a Bulletproof Company Reputation with Your Executives: Senior Executives are usually a risk adverse community. Regardless of any opinions to the contrary, compliance projects are critical for ongoing success. These programs are direct investments in your brand – it’s not money lost, or just some line item expense. It is money spent to protect the company’s assets. In the C-Suite, money talks. Executives have a shared interest in protecting the organization from a security breach that would results in damage to the brand and potential loss in customer confidence. These events will negatively impact the company share price, market capitalization, institutional investment activity, the ability to secure new business and may result in changes to the internal operational structure. Senior executives may be focused on the bottom line, but they also care about protecting their investment. Leverage this shared view to establish the fundamental need for a secure environment and the budged required to do so.
2. Act Now and Act Decisively: Establish your commitment to creating and maintaining a secure and compliant environment. No one is going to thank you for proactively avoiding a security breach, but, you may end up losing your job for not doing it. Don’t delay – act now and act with confidence. Even in the worst possible scenario (a data breach), the proactive steps you have taken to secure the organization may not only save the day, it may save your job!
3. Stress that Compliance is an Ongoing Initiative: A lot of execs boil compliance down to a single sentence: “Do we have our compliance certification?” However, informed compliance personnel know that you may get a PCI DSS Report on Compliance (ROC) one day, and be vulnerable to a breach the very next day. As a former general manager of the PCI Security Standards Council, was fond of saying, “You are just one control change away from becoming non-compliant.” Let your execs know that you are working every day, year-round to maintain that high standard of excellence you displayed in earning that Report on Compliance. If they know you are diligent in your creation and enforcement of a compliance program, they are more likely to fund the initiative.
4. Find Solutions that Compliment Other Business Objectives and Have Widespread Impact: You need to carefully choose solutions that eliminate underlying systemic security issues and deliver the most operational impact as possible. Seek out vendors that want to help educate you and are true partners in compliance. Using products such as Semafone’s DTMF masking solution, Cardprotect prevents the exposure of sensitive information to downstream components (including the agent community), which will greatly reduce your PCI DSS audit footprint and the opportunity for data entry errors by agents. Additionally, it creates a more secure environment for your consumer’s sensitive data, delivers a positive customer experience and may even improve Average Handling Time (AHT). On top of all that, your organization may realize a reduction in Cybersecurity Insurance policy premiums. Finding a solution that has such a wide range of positive impact is an easy sell to management and can greatly reduce your overall efforts to create a more secure and compliant environment.
Why wait? Choose today to make the commitment to improve the security and compliance in your organization and make sure everyone shares your vision. With the right tools, guidance and best practices you can be a hero to your organization.
Putting off the decision may be devastating – act now to ensure a bright future for your organization!