and the Advent of “Partial Compliance” . . .
How do you decide where to start if you are NOT in a regulated industry?
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
I have been having more than one interesting discussion with a few prospective Clients recently. The conversation I have in mind was with a gentleman who runs a company that is NOT in a regulated industry. This particular business is not collecting substantial amounts of PII or ePHI, other than checks he gets from his Clients, which are collected as he relies upon Remote Deposit Capture. He is conscious of the need to protect information about his customers, and has already undergone a high-level compliance audit. He’s reaching out to infotex as a part of his risk mitigation efforts.
But his primary question, which is similar to questions I’m getting from several unregulated businesses, and born out of a skepticism that information security is worth the cost, is this:
“Are we in the early adopter phase of information security adoption?”
I almost feel like these businesses are “using my own language against me” because I do preach that you should determine where you want to be “in general” when it comes to the adoption of technology, and I encourage smaller businesses to consider being a “late majority” or even a “laggard” when it comes to adopting technologies outside the core mission of their business.
Now . . . I have to admit my response has evolved as the question keeps coming up. But I think it has stabilized now, to the point where I’m writing an article about it.
And the evolution of my response is interesting. By the time I talked with this gentleman, I had learned to avoid my initial “knee-jerk” response: “You can’t partially comply with information security. The bad guys aren’t going to say, “oh wait, he didn’t protect this part of his system, so it wouldn’t be fair for us to exploit this vulnerability.”
And though knee-jerk, I withheld from using that response the first time this question was posed to me by an unregulated business. My earliest response, to a woman who was also wondering if holding off on security would mean that when she DID pull the trigger she would deploy more sophisticated processes at a lower price. I swallowed my ” you can’t partially comply” response, and instead I asked, “do you consider protecting your customers to be one of your core services?” It was easy for me to respond in this way, to this particular person, because she had met me at a webinar where I was preaching that you can be a laggard in technologies outside of your core services.
But this response didn’t work so well in the next few opportunities, partly because I hadn’t had a chance to explain Everett Rogers Diffusion of Innovation Theory, but also because over time I was realizing that even in regulated industries we CAN justify “partial compliance” to a framework. Let’s face it . . . . even regulated businesses are in . . . . SHOULD BE IN . . . . a state of “partial compliance,” and that’s one of the most important deliverables of a good risk management program!
So by the time I was in this most recent conversation, my response had evolved into this one:
“You should base the level and timing of adoption on the promise that you are making to your customers.”
My prospective Client had asked, “once we choose this framework, what would make us want to be in ‘full compliance’ with it? Why not strive for ‘partial compliance?'” But by the time we had this recent conversation, I had abandoned the “no partial compliance” answer. Don’t get me wrong, I will always answer any question about “where do we start” with “conduct a risk assessment.” To me, no matter WHAT you decide to do, the risk assessment has to be a decision-making tool.
But beyond that, I’m totally behind the concept of “partial compliance.” In fact, I would recommend that NO small business be in “full compliance.” But you still need to determine where, on that compliance spectrum, you want your business to fall.
So when asked, “do we become an early adopter of Information Security in general,” my response is now squarely at the following:
“Base your compliance response on the promise you’re making to your customer, whether overt or as part of your ‘illusion.’ Use this promise to determine how much risk is acceptable. And then articulate your current position with a risk assessment.”
Like any other technology adoption, you need to decide how important Information is to your company, from two angles: reputation with your customers and value to your own company.
Because you are not regulated, this decision is more difficult. Your customers MAY be forgiving if you experience a breach. The implications of your adoption decision are more crucial for you than they would be a financial or healthcare institution, because regulated businesses have no choice. Compliance to them is as much a “cost of doing business” as rent and utilities. If there is a breach and the aftermath shows they are “not in compliance,” they’ll be in big trouble. That, in fact, is what makes you a “non-regulated business” . . . . you have no legal responsibility to focus in on information security.
So to me, it boils down to this: what promise are you making to your customers?
- If you are my daughter, selling oil paintings for a living . . . and wow, she’s actually making a living at it! . . . . there simply is NO promise to her customers. Some pay by cash, some by check, some by PayPal, but my daughter is not giving ANY illusion that she is protecting your name or that check.
- If you run a gas station, I would say the extent of the promise to your customers . . . . at least as it relates to information . . . Is that if they use their credit card at the pump or in the station, you are complying with certain ‘standards,’ invented by the Payment Card Industry, to protect their credit card number and any other information associated with it.
- If you also use any type of “discount card,” you may also be making a promise, or at least “giving the illusion,” depending on how you use any other information collected at point of sale, that you are only using that information for internal purposes and not selling it and that you are also protecting that information.
If, in the course of your business, you collect Personally Identifiable Information (PII, which could be PHI, ePHI, NPI, etc for those of you in regulated industries), your customers are expecting you to protect that information, and that expectation becomes part of the “illusion” you are giving to your customers even if you are not overtly promising that protection. That illusion is part of your “customer service process.”
If you do NOT collect PII, then there is no illusion.
Most companies collect PII when they accept a payment, even if by check. But we can say the volume on that is small enough to where it’s not worth jumping through a whole bunch of hoops to protect that information, beyond common sense controls. But if you are collecting information beyond that, ask yourself: do my customers expect me to protect this information? Is that part of our “customer service promise?”
The key question you must ask yourself is this: what are you promising, and how important is it for you to keep that promise?
Because if information security is part of your promise, then you should be an early adopter of information security technology. If not, then yes, play the numbers game and, in the spirit of “partial compliance,” go after the low hanging fruit so you can increase the likelihood of “staying under the radar.”
But also know that you could eventually be breached, so if you are fooling yourself, you are also fooling your customers . . . and they won’t be happy about that!
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.