If you are like most people in business today, you are up to your eyeballs with “compliance” requirements. Sarbanes-Oxley, GLBA and HIPAA might not have been too bad, assuming they even affected your organization at all. But now there is PCI DSS, the HITECH Act, FTC Red Flags and breach notification rules, and the dozens of state breach notification laws on top of everything else.

With all this recent government and industry intrusion into the free market, you would think it is next to impossible to get things under control. Well, it is that way for many organizations. But it is not the mere existence of these laws and regulations that are bringing people down — it is typically how people are handling them that is causing the problems.

Being an outside consultant, it is easy for me to make recommendations to clients and be done with it. Not having to get caught up in the day-to-day grunt work and political barriers is indeed an advantage. But I see something related to security and privacy compliance that is consistent in all types of businesses regardless of their industry and size — it is people duplicating efforts trying to address each of the laws and regulations on a case-by-case basis. For instance, they will spend good time and money tackling HIPAA. Once they have gotten it under control, they will start over with GLBA and then on to PCI DSS. Next, they will sort out all the state breach notification laws, and on and on. This approach certainly keeps people busy and may be good for job security, but it is very costly and completely inefficient.

If you feel like your organization is spending too much time on compliance for the sake of compliance, here’s what you can do to truly get your arms around this beast:

Make Compliance a Team Effort

If you are going to get things under control, the first thing you need to do is assemble a team of stakeholders into a security committee (or whatever you want to call it). This will likely be legal, HR, marketing, operations, internal audit, IT and at least one member of executive management. Every business is different. You will have to find out who is going to be able to effect the most change. Obviously, forming such a committee will require the backing of management. None of what I am writing about is sustainable without management’s support. But that is for another discussion.