There is some talk in companies about creating a new position to ensure regulatory compliance across the enterprise.

The term being used for the moment is Chief Compliance Officer.

According to Tech Target, this is a basic job description:

Staying current with new and updated regulations. These may include state and federal laws, as well as industry-based accreditation requirements.

Developing and maintaining a repository of regulations and the organization’s compliance status. This provides a quick snapshot and a valuable reference document. When new regulations emerge, this tool can identify any overlap with pre-existing regulations.

Understanding how each regulation affects the organization and explaining the impact of non-compliance to leadership.

Developing cooperative relationships with those charged with implementation, such as the ISO and the Privacy Officer.

Developing documented and repeatable evaluation processes to verify that underlying controls are adequate to meet requirements.

Periodically performing evaluations and reporting outcomes to senior management.

Developing processes for the workforce to report non-compliance issues to the CCO and how the CCO will respond to those issues.

Reporting compliance deficits and lapses to senior management and ensuring they are remedied.

Tech Target goes on to say:

‘An effective CCO is a great asset to the CISO and the information security program. The CISO can make a case for this position as an added layer of protection for the organization. The CCO brings a fresh perspective to security and other regulatory controls and may spot program opportunities or weaknesses that the CISO is too close to see. …’

See the entire article on:
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1111697,00.html

In my view, while it is okay to appoint someone as CCO, the position should be defined and structured in such a way to avoid duplication with other job functions - especially those in legal, risk management, operations and of course security departments.

How do companies ensure internal ‘buy-in’ so a candidate is able to discharge his responsibilities, how is the position structured so that he can get the necessary cooperation from various other sections of the enterprise. As we all know, large corporations have power centres which may not necessarily reflect the organizational structure.

So I think that before businesses rush to employ a CCO, a lot of consideration should be given to what value someone will bring to the organization and how the individual can deliver clear, measurable results on an ongoing basis.

Broadly, the way that companies work these days is that they engage an external consultant to scope the work required to achieve compliance and also to conduct ongoing compliance audits to verify that they aren’t breaking any rules which may land them in trouble with the regulator or law making bodies.

This effort is largely coordinated by a few top level internal executives - since compliance is a complicated field which requires in depth domain and technical knowledge, legal expertise and also practical hands on industry experience.

Is it possible to find skillsets? Will the results be better than hiring outside consultants, who bring specialization and experience with their services? And, if the CCO fails in his / her duty, what is the backup procedure or verification process to ensure compliance. Another guard to watch the guard.

Time will tell. In my experience, a lot of Information Security Officers or Privacy Officers are stunted by internal obstacles, lack of planning and budgetary support, lack of clear direction given from the board, etc. Additionally, they are simply bestowed with the title in addition to their existing job responsibilities - like a Company Secretary may be the Privacy Officer, etc.

Comments? Let me know.

RiOn