Reducing the cost of compliance: A non-conventional approach

Knowing that non-compliance is a non-option, companies have shifted their focus from the costs of non-compliance to the costs of compliance. So what’s the key to cost-effective compliance?

A couple of weeks ago, I had an interesting discussion with a client who is a compliance manager for a Fortune 1000 retail company. One of the challenges he needed to address is a perennial problem: the cost of compliance.

By no means is he alone; I see the same challenge across the CA customer base. I’ve noticed that my discussions with clients have shifted from the costs of non-compliance (it’s now a given that non-compliance is not an option) to, “Knowing that compliance has to be a top priority, how do I reduce the costs of making compliance happen?”

Categorizing compliance costs

To reduce costs, we first have to categorize and measure the costs. One of the most effective ways of doing that is to divide them into direct and indirect costs.

Most direct costs stem from purchasing and implementing a compliance/attestation tool such as CA Identity Governance. The good news is that this direct cost reduces indirect costs by streamlining the attestation process.

Indirect costs

A significant indirect cost of compliance is the extraordinary amount of time and number of resources required to perform conventional case-by-case entitlement attestations across multiple systems and applications. For instance, at one large telecom customer, hundreds of business line managers, systems and application owners, and data custodians had to evaluate more than 1.5 million entitlements for 40,000 users. Surprisingly, respondents did not highlight this cost of compliance in this insightful Thomson Reuters survey.

This is an indirect cost that we must consider – and reduce – since it has not been measured as a cost of compliance.

The conventional case-by-case approach has a fundamental flaw: the need to approve or reject every entitlement. When I meet with clients who plan to use this approach, I ask them, “What process do attesters use to approve/reject entitlements?” Invariably, the answer is to determine whether or not a user needs the entitlement to perform his or her job function.

That leads to my next question, “How do attesters determine the user’s job function?” Here, the compliance manager invariably responds that the user’s function is determined by data such as job code, title, department and so on.

The solution

The solution for reducing this indirect cost of compliance is to manage the number of users and/or entitlements to be certified. This reduces the amount of data to be collected and the time your resources need to attest users.

But how best to do that? The approach I find most efficient is attestation by exception.

Attestation by exception starts with defining criteria for pre-approved entitlements, in which everyone with the job title of, say, accounts payable analyst is assigned a pre-approved, identical set of permissions. These criteria to determine permissions become the rule, certified by data custodians and/or business line managers. With that rule in place, only those permissions that fall outside of the rule (i.e. the “exceptions”) require hands-on attestation. This two-step process cuts down considerably on case-by-case approvals, saving the enterprise time, money, and human resources.

Recently, CA Services helped a health insurance company make precisely this kind of improvement. By using predefined criteria for assigning entitlements to create exception rules, we reduced the amount of data – and the people hours to process the data – significantly.

Of course, any organization will periodically change its rules, recertify rules as they change and evolve, and shift staff into new job functions with permissions that differ from those for their previous positions. However, with predefined criteria for assigning entitlements, these changes present far fewer challenges than in the conventional case-by-case approach.

We can further reduce the cost of compliance via birthright roles, and I’ll discuss them in my next post. In the meantime, I’d like to hear about your challenges with compliance costs. Please leave me a comment below.


A seasoned security professional with over 20 years of experience in the IT consulting field…

Comments

rewrite

Insights from the app driven world
Subscribe Now >
RECOMMENDED
DevOps and Cloud: Better Together >Cloud and DevOps: The Bacon and Eggs of the Modern Software Factory >Staying Positive in the Age of Ransomware >