If I’ve learned anything over the past few years working with customers on their compliance journey, it’s that the successful ones have engaged stakeholders from across the organization early and often. Gaining and maintaining compliance is much more than an IT administrative task or a Legal/Risk/Privacy concern… it requires everyone across your organization to be engaged, informed, aligned, and committed to your compliance end goals. Some may not even realize they’re part of the team, but everyone has a part to play in the Compliance game.
Compliance is the framework of rules, regulations, standards, policies, and practices within an organization that must be adhered to. Within Microsoft 365, this includes, but is not limited to, the following features to support: information protection, data loss prevention, information governance, records management, eDiscovery, Audit, Insider Risk Management, Communication Compliance, and Compliance Manager.
I love the team sport analogy because it makes the seemingly complex topic of Gaining Compliance relatable and demonstrates the how and why behind each team member’s role in an organization’s compliance “win”. I’ve split the team across 6 key areas:
The Head Coach.
Direct role. This is not a single person, role, or team, but rather the overall Compliance strategy and program in your organization. There are typically many roles involved in the development of the program to satisfy your organization’s compliance obligations based on industry, region, and your own unique business needs. To name a few: Executive sponsor(s), Security, Governance, Privacy, Legal, Risk, Audit, Records Management, and IT.
Although information workers are not directly involved in the development of the program, the impact it will have on them should be top-of-mind when making decisions and implementing controls affecting them, whether they be automated, process, or manual controls.
Like the pep talk before a game from the Head Coach, it’s crucial to have and maintain strong messaging around the Compliance program in your organization. A good practice is to have strong executive sponsorship and messaging to all users across your organization to explain the why.
The importance of compliance needs to come from the top.
Direct role. Defense is where I see organizations start their compliance journey if they’ve already experienced a privacy breach/data spill/regulatory fine and the organization needs to take immediate action to resolve the issue and prevent further damage. Examples of this: configuring alerts, blocking services, reviewing audit logs, expiring access, placing legal holds on mailboxes, etc.
It’s an imperfect world and you can’t eliminate all defensive work, in fact it’s a necessary part of your overall compliance and corporate governance approach in the modern workplace; however, it’s always better to be more proactive in your approach where and whenever possible.
Direct role. This is the proactive steps an organization takes to ensure compliance/mitigate risk before an incident occurs and are the specific controls an organization has implemented in their Compliance program. Implementing Data Loss Prevention policies across endpoints and services, setting up an org-wide deletion policy for email, defining a data classification scheme to inform the creation of sensitivity labels, and having an auditable guest user review process are all examples of what an organization can do in advance to improve their compliance posture and mitigate the risk of a compliance failure. This takes thoughtful planning and a proactive organizational mindset to spend time up-front to put required controls in place. As the saying goes… An ounce of prevention is worth a pound of cure.
The immediate need to send workers home due to covid-19 forced a Hurry up offense for many organizations. This accelerated the timeline for implementing many of the technical controls to mitigate potential compliance risks due to the majority of staff moving to a work-from-home model.
Direct role. This is the last line of defense. No matter how good your defense is, in the current age of sophisticated threat, there will always be something that gets by the defense and aims for the open corner in the net. These are the end-users/information workers/frontline workers in your organization and includes everyone interacting with content across your systems. Get your information governance strategy wrong and this group will let you know. Worse yet, they may not let you know, and will, instead, find a workaround you are left to discover on your own.
A well-informed user is an ally on your compliance journey. A couple ways to help are:
- be fanatically consistent in what you call things across documentation to eliminate end-user confusion
- build compliance training in your organization to explain the how and why this is important
- place training on a modern Communication site and link to it from the numerous help link locations across back-end compliance features
- leverage automation as much as possible to reduce the burden of compliance
Direct role. Officials are both internal and external roles who have an elevated level of understanding of the regulations, legal obligations, and business processes your organization must adhere to. They live and breathe compliance.
Internal roles could include the legal, risk, security, privacy, governance, records management, and internal audit teams in your organization. They’re involved in understanding/interpreting compliance obligations and translating them into organizational execution, and are typically involved directly with the compliance features within Microsoft 365. IT administrators often work closely with these internal roles in setup, configuration, and training.
External roles could include the regulatory bodies, laws, lawyers, and auditors interacting with your organization. These groups assess how well your organization is executing on the required obligations.
Consequences of non-compliance can be harsh, both financially and reputationally, so it is critical for your organization’s internal roles to be aware of the regulatory/legal requirements and how you will adhere to them.
Indirect role. These are customers/vendors/partners and the public interacting with your organization. You don’t have to think too long about what happens to a company’s reputation if a data breach has happened and data that should have been deleted years ago hasn’t been and is now exposed. This can be catastrophic to an organization depending on the severity, breadth, and nature of the breach.
Commentators will judge from afar and won’t hesitate to publicly admonish an organization particularly if a breach has affected their own data. They’ll give the unvarnished truth about the impact it has.
What about the Spectators?
Indirect role. This group consists of those organizations that perhaps know they need to be more proactive in their approach, but they’re not sure how to get started so they are watching… and waiting… for what, I’m not sure. A silver bullet?
As a consultant specializing in the Advanced Compliance features of Microsoft 365, I’m asked time and time again where a good place to start is, what other organizations are doing, and how they can learn from others’ successes (and mistakes) on their compliance journey. They are trying to be proactive and want to set it up right. I get it. Although this is a complex problem and requires up-front planning, it’s not a good idea to remain a spectator for too long… at some point you just need to jump into the game.
For this very reason, the crawl-walk-run strategy is a good approach and one that Microsoft also recommends. Start with something, even if its small, to move the compliance needle in the positive direction.
Hope you found this analogy helpful and can relate some of these areas back to your own organization.
It’s a team sport. You win together and you lose together… Game on.
Thanks for reading.