Business progress, resilient and compliant by design

What’s more, it is often encouraged – and will increasingly be enforced – by growing regulatory pressures. In January 2023 alone, the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2) entered into force, with both carrying significant business implications. DORA requires European financial institutions to ensure their business technology can withstand disruptive events, thus having public cloud exit plans and measures against ransomware in place. NIS2 requires EU member states to boost the resilience of their IT infrastructure by enforcing a culture of security across IT-dependent sectors that deliver vital services to society and the economy, thus categorizing more organizations as vital and therefore subject to more regulations.

Regulations cast a long global shadow and though their provisions have become more concrete, their implications in a complex IT landscape can be confusing. In an atmosphere heavy with volatility, uncertainty, complexity, and ambiguity (VUCA), decision-makers have grown more risk-averse. Worried their ambitions will conflict with legislative requirements, they postpone tech modernization moves. Their organizations become slow to market and fall behind the competition.

But actually, business progress and compliance go hand in hand. With a multidisciplinary understanding of their legislative and technical frameworks, regulations should enhance, not slow down, business. The right knowledge safeguards against overly narrow or literal interpretations that can lead to organizational inertia. Building resilience counters that inertia, even in an ever-changing VUCA world.

Staying in control
To be in control and stay in control amidst volatility, organizations must have a realistic vision of IT. Foremost, this means acknowledging that everything everywhere has become more digitized. Plus, with 64% of the world population now using the internet, we are nearing an age when almost everyone has a digital footprint.

So, while it might seem that tech regulations are becoming more complex, it is in fact the entire IT landscape that is becoming more complex. Technology today is made up of systems that are highly diversified and embedded in also highly diversified organizations, ecosystems, and industries in which multiple global parties interact to deliver services. On top of that, business is demanding swift developments in tech and design to meet consumer expectations for speed and user-friendliness. That’s a lot of moving parts to regulate rather than a lot of regulations per se.

Governments and regulatory bodies aim to tame the risks that arise from that complexity. Ultimately, they protect the public interest while leading organizations to uphold their duties and responsibilities no matter how widely or deeply digitized they become. Having clear insight into the technology, in all its diversity, makes it easier to see how technology falls within the scope of regulations – or, of equal importance, how it does not.

The whole system in the room
Seeking to minimize uncertainty, organizations must be prepared to work silo-free. To really grasp regulatory impact, technological, business, compliance, and regulatory priorities must all be accounted for equally. Engaging the relevant parties simultaneously is what we call getting the whole system in the room.

Staying compliant entails far more than asking the legal department if some ruling will compel changes to daily operations or result in a fine – after all, the in-house lawyers don’t have spare time or capability to take cloud certification courses. Instead, when the interests of tech, business, compliance, and regulation are represented, a 360-degree understanding can be achieved and activated. This breaks silence between disciplines, preventing assumptions and promoting understanding of one another’s perspectives. Who is responsible for what becomes explicit as do which measures or mitigation mechanisms should, at a minimum, be in place. The leadership also receives support, with the whole system reducing liability risks borne by the C-level on behalf of the institution or, in a rarer instance, personally.

If parties cannot understand each other’s needs or struggle to see beyond their formal work purviews, they can learn to speak each other’s languages better. In our experience, most year-long stalemates caused by regulatory confusion can be resolved in two hours, such as by holding a whole-system-in-the-room workshop. The key to efficiency is having all parties present to carry out a holistic analysis. This permits a thorough understanding of risks and potential measures to determine whether the organization can mitigate the risks or, if not, how to manage that.

A proper risk assessment
With a realistic vision of and insight into the digitized world, it becomes obvious that digitization always comes with risk. Confidentiality, integrity, and availability are not new compliance principles, but they are also the bedrock of the modern-day regulations that guide organizations through complex risks. A proper risk assessment then cuts through that complexity.

Before countering risks in the first place, it is important to recognize that regulatory oversight is based on principles rather than rules. Regulatory provisions must therefore be translated into real-life impacts on IT strategy and everyday business operations. This can be tricky since some cases, such as Schrems II – which invalidates the EU-US Data Protection Shield as an adequate safeguard for the General Data Protection Regulation (GDPR) – do not set out to define compliance. That said, there are concrete ways to lift compliance confidence, such as our own chosen methods of automating auditing; monitoring thirdparty suppliers; integrating key security and compliance controls monitoring; and dashboarding the security status of entire customer environments. As a company, we also rely on certifications (e.g. ISO 27001) and assurance (e.g. ISAE 3402) through which certified third-party auditors validate our internal control.

Still, organizations need to comply not on paper but in practice. Clarity to do so comes from drawing expertise from the whole system in the room. This kaleidoscopic knowledge facilitates a clear assessment of all the risks involved, including those potentially incurred via suppliers and third parties. From there, decisions can be made according to risk appetite and in the service of business continuity. Over time, organizations will be able to make educated predictions about their own futures and anticipate the expectations of regulatory bodies. Eventually, compliance becomes a more organic, instinctive process. By design, it then attends to the data protection and privacy implications of the Schrems II ruling; boosts digital resilience to follow the provisions established by DORA and NIS2; and strengthens cybersecurity standards to meet a climate characterized by rising ransomware and DDoS attacks.

Change in mindset
Although we remain in an era full of ambiguity, organizations can still maintain business continuity and reap the benefits of innovation and growth. Secure, compliant infrastructure provides the building blocks that form a foundation for the business. This gives rise to the resilience necessary to withstand challenges, changes, and the evolving spectrum of regulations intended to manage them.
Above all, resilience demands a change in mindset. Resilient organizations know and understand their own intents. They make pragmatic, fact-based decisions about how to handle their technology, reflecting their unique operational context and individual risk profile. They strike a balance between due diligence and excessive risk aversion – extremes in either direction work against value creation. Resilient organizations approach compliance with an enterprising spirit. Reading regulations with curiosity rather than a sense of burden positions them to optimize their IT landscape while absorbing minimal risk.

Compliance then comes to be accepted as a continuous improvement process. It encompasses implementing checks and balances while checking off the ABCs of digital hygiene year-round, not only in the form of an assurance report released every January. Like security, compliance becomes an integral component prioritized from day one of any initiative. As we see it, for as long as a solution is secure-bydesign, it should be compliant-by-default.

A common question heard in the boardroom is: how can we avoid risk? But since risk is inevitable, we suggest instead asking: how can we increase resilience? How can we build a foundation that, even if wrong choices are made or a new type of malware should intrude, we can self-correct or recover while staying within our risk appetite? In reply, we urge organizations to embrace a compliant-by-default mindset not because of but in spite of VUCA and, by doing so, to enable their business progress.