Written by Kerry Jones, Head of Compliance and Information Security at DigitalXRAID
People always find it surprising when I tell them I started my tech career in a call centre. Their surprise doesn’t come from the role itself but rather the size of the ladder I climbed to get to the role I am in today. At the time, I couldn’t have even dreamed of being the Head of Compliance for any company, largely because that role didn’t exist as it does today. The concept of compliance as I know it bloomed with the digitisation of business, which created a need for information security governance teams. As I developed my career, I watched compliance develop as well, until it became a critical element of modern business.
Today, as Head of Compliance at a SOC Provider and current Cyber Security Woman of the Year, I can confidently say that we’re just getting started in terms of technological evolution and the regulations that come with it. Between the spread of AI and the surge in cyberattacks in recent years, many new regulations have come into play, looking to help mitigate the risk that comes with rapid adoption of new tech.
In this ever-changing environment, it is vital to understand that compliance is not static. It is a process of continuous improvement and development of security strategy and posture and involves everyone within the organisation – not just the C-Suite.
We’ve seen a year of change
2024 is a time of great change in the digital landscape – and outside of it, as 64 countries hold elections that could impact much of public policy. For security and compliance leaders, new regulations coming into force such as NIS 2, DORA and ISO 27001:2022, and updated frameworks like NIST 2.0, will certainly be a pressure.
ISO 27001:2022, for example, will introduce a more tailored framework for information security management. Taking a focus on threat intelligence, cloud and data security, and building out resilience. NIST 2.0 is addressing a different side of the cyber landscape, which is the lack of awareness of cyber security at the board level. The 2.0 update is designed to now encompass all organisations instead of just critical national infrastructure, as well as introducing the new ‘Govern’ pillar, calling for board participation in decisions concerning the development of organisations’ security strategies.
With AI we have a slightly different story, where a clear lack of regulation or even awareness of the technology’s full capabilities force compliance professionals and regulators alike to remain responsive, alert, and flexible. AI’s development is showing no sign of slowing down. In the past 12 months, it has become prevalent in almost every industry, but there is still little discussion on how its use will be kept in check or who is responsible for doing this. This is not just a recommendation for this year, it is a necessity. The current lack of governmental regulation should not be seen as an invitation to let AI run wild, instead organisations should feel the pressure to develop their own safe AI employment guidelines and compliance officers should oversee their upholding.
Tackling a challenging environment
Within my own organisation, it’ll be at the top of my priority list to get the team prepared and clients educated for the transition. Today’s dynamic environment will require diligent oversight of regulation changes to ensure nothing is being missed, paired with proactive training and education to keep everyone in the company up to speed. Keeping a close eye on the ISO 27001:2022 transition, we’ve
been putting a lot of plans together to ensure we’re doing the transition correctly and not cutting any corners. But that is not the only evolution to consider – the threat landscape is ever-looming and has no shortage of new techniques and tactics to attack businesses. A key priority for me is to continually develop and test incident response plans, both for our internal security team and our clients, through table-top exercises. Ensuring that these table-top exercises are carried out in accordance with the chosen regulatory framework, be that ISO or NIST, and properly reviewing and remediating areas of failure, is critical for organisation security. A culture of compliance allows us to continually re-evaluate and improve security strategies in order to stay ahead of emerging threats.
With AI in particular, I have to practice what I preach: developing clear internal guidelines for its adoption has been a clear priority over the last year. People are generally the biggest risk when it comes to AI. It is accessible to anyone, meaning that not all users will be technically advanced, or aware of the security implications. It is crucial for businesses to do comprehensive internal reviews of their AI policies, complete with robust security monitoring, to mitigate the risks that these tools can introduce. There is no sure-fire way to stop people from using AI, so the best way to mitigate the risk is through education, awareness, and preparedness.
Success stems from relationships
This is a time of uncertainty for businesses, and the legal, risk-centric world of compliance can be an intimidating one. In my years of experience, I’ve found that fostering positive relationships with clients has helped mitigate the stresses of auditing and compliance and has helped organisations move forward in improving of their security postures.
This has lead to one of my core beliefs about this industry: compliance needs to be an open conversation. In the end, everyone in the company is responsible for upholding compliance standards, so everyone should be involved and encouraged to participate in the conversation. People are generally surprised when they first meet me for audits because they have a preconceived idea of compliance officers, and I don’t fit the bill. But diverse voices in compliance can be a real asset, and my personable approach to work has led to more success, trust, and longevity with my clients. It’s important that customers understand that we’re there to help them improve their strategies, not scrutinise or punish them. Compliance should never be a pass-fail exercise, but rather an opportunity to discover weaknesses and strategise improvements. Creating a safe space for education and development is really the key to success.
Evolving technologies, guidance, and priorities show no signs of slowing down in the coming years, and likely won’t for a long time. In fact, regulations will only become more stringent, and compliance will remain a top priority for businesses. Changing the narrative of our industry from ‘dreaded audits’ to ‘opportunities for improvement and evolution’ is the only way forward in this complicated security landscape.
