Forbes cites an apt quote from Dr. John Lund—a family counselor and business communications consultant—where he recommends, “Don’t communicate to be understood; rather, communicate so as not to be misunderstood.” Good and solid communication is—as you likely already know—the cornerstone of a successful joint business venture, so it is worth serious and robust effort to learn the necessary philosophies and languages you will come up against.
At the very least, misunderstandings can cause delays, confusion and a compromise of trust. Far worse are misunderstandings that lead to data breaches and other types of exposure that leave your business—or your future business partner’s organization—open to all types of negative consequences. In the end, the lion’s share of responsibility falls on your organization. At the very least, your potential business partners will appreciate any proactive measures you take to align your vision with their own, in the interest of protecting their company’s interests.
Clearly and candidly letting new and prospective business associates know what you need from them or what you can do for them—as early as possible in communications—is essential to forming a lasting professional association in which you can place your trust. That same solid communication pathway also provides them with clear expectations you may have that may include investing in security upgrades and performing compliance audits.
Why Is Communication about Compliance Important?
The whole field of security and compliance has become very, very complex and much more necessary than it was, let’s say 20 or 30 years ago. Not only do professional service firms, like I.S. Partners, need to be aware and focus on these areas, but so do our clients and their third-party connections. It’s sort of a domino effect.
Let’s look at a vendor relationship, for example. If one of our clients has a vendor that provides processing services for data or house data, and that relationship is not secure, that relationship poses a risk to the client. In that case, it could negatively affect us as well. So, everything is interconnected these days and, because of that, we must be able to communicate and provide effective compliance recommendations to our clients, as well as their third-party users.
“Let’s take the example of a software as a service (SaaS) provider. Much of the demand for the SaaS provider to become compliant comes from their third parties and customers who are comparing the software product and services to others. Compliance attestation, like PCI or SOC 2 certification, provides extra reassurance that another similar product may not have. In that sense, proof of compliance is a valuable competitive edge.” – Jena Andrews, CISA and Senior Auditor at I.S. Partners, LLC
Which Players Need to Be Involved in Communications?
Your prospective customer, vendor or business partner must mirror your own business’s system and compliance measures. This necessitates ongoing communications. “That’s why this whole thing is so important,” explains Anthony Jones, Senior Partner at AWA. “Your security approach must mirror your customers, business partners, clients’ efforts; all their requirements need to align and work in unison.”
Making sure their information technology team understands your system and data needs as well—particularly relating to internal controls and objectives—is crucial to properly aligning their system, as needed. The business must also commit to ensuring that their own staff complies with the security required by your own organization to avoid any unauthorized usage or errors that put your data at risk. It may also help if the business has a compliance officer on staff to take the lead on regulatory issues.
Your professional auditing team can also help you determine the key players in forming a successful business partnership with a company committed to helping to keep you maintain optimal security and compliance.
Who Is Responsible for Compliance Communications?
Ultimately, it’s the external auditor’s responsibility to keep up to date with the current frameworks and versions of compliance testing in line with today’s standards. It’s important, however, for companies to also have their own compliance conversations internally. They need to understand their clients’ industries and compliance needs related to the services they’re providing. While I.S. Partners can help with that scoping process, internally those conversations need to take place and that knowledge needs live within the organization.
“Another factor is vendor due diligence,” explains Jena. “We always recommend that our clients reach out to third parties and service providers annually and request up-to-date documentation.” You must make the terms of who is responsible for the security of your data and compliance with regulations, standards and policies clear to any new or potential business partners.
What Tools Should be Leveraged in Communicating about Compliance?
“Security questionnaires are the tool for a lot of these communications. Organizations require their customers fill out an annual security questionnaire. By checking in and getting updated information on a regular, rotating basis, the organization is also communicating its security requirements and current compliance goals. These questionnaires will ask about when the last SOC audit was performed, if they’ve had pen testing done, and whether PCI and ISO 27001 compliance have been assessed. These also get a baseline on things like infrastructure and the security environment.” – T. Anthony Jones, Senior Partner at AWA, Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Qualified Security Assessor (QSA), and Certified ISO/IEC 27001 Lead Auditor
“This is the communication mechanism that allows your organization to keep its finger on the pulse of security in the broader range,” said Anthony. “This is important, again, because of the chain effect. Most breaches happened not because you had an issue at your company, but because one of your service providers had an issue. There have been so many situations where breaches are caused indirectly through a third party or through a service organization.”
How Should Your Organization Show Off Its Compliance Achievements?
“I always say one of the best ways to communicate compliance and having completed security auditing and testing is via the company website. This gives the company space to show off all of their compliance certification badges, if they have achieved more than one,” explains Jena. “I.S. Partners, for example, provides our clients with a seal for most audit types that they can put on their website, LinkedIn profile, in their e-mail signature, or on any other type of communication. These are always to communicate compliance to others.”
How Can You Ensure that Customers’ Compliance Certifications are Current?
Depending on your own industry—whether healthcare, financial, credit cards or something else—your compliance needs and necessary audits will vary. Let your business partners know that you must, for example, receive the necessary third-party HIPAA-HITECH attestation to comply with an upcoming change in regulations. Clarify whether or not your organization has remained current in its various audits and whether they must do the same to protect your clients, customers, patients or stakeholders.
One way to determine if certifications are up to date is read the audit report or the opinion issued in the report. The published audit report states the scope, whether or not there were problems found, and it was a qualified or unqualified opinion given. You can also find the effective date that the audit was performed.
How Can You Prepare for Compliance Conversations?
There are many types of additional documentation you can provide to inform prospective business partners of your business’s health when it comes to security and compliance, including the following:
- Provide an Internal Security Evaluation Report – Prepare an internal report modeled on your choice of security framework. This less formal and proactive report offers your potential business partners context so you can engage in effective conversations.
- Document Solutions Before Meeting – Don’t wait until the last minute to resolve issues before meeting with potential business partners and vendors. If you anticipate issues with implementing their product, take a look at the timeline and try to determine the cost of implementing their product.
- Build Security and Compliance Initiatives into Your Own Plan and Budget – If you know the market where you anticipate the greatest sales, such as the credit card industry, look into PCI DSS compliance and security requirements. Your ability to let business prospects know you’ve already accounted for compliance will go a long way toward opening easy and healthy communications.
- Learn Your Client’s Pain-Points and Work to Address Them – Make sure to let your clients know you want to know any sticking points and how you can work together to ease their concerns. Such healthy communication is a great way to optimize compliance efforts and cost.
What Is the Risk of NOT Communicating Your Compliance Status Clearly?
“If you’re not communicating your compliance status to end customers, the ultimate risk is losing those customers. At the end of the day, if customer organizations are using your services, they demand a particular compliance assurance and they don’t get, those companies will do what they need to do. In order to ensure their own data security and regulatory compliance in their industry, they can easily switch providers.”
Another risk is that potential new customers or current customers who are launching a new product with different compliance requirements, may not consider your organization as a service provider. If they aren’t aware that your organization meets those compliance requirements, they could overlook your organization as a service provider because of a perceived mismatch in terms of compliance and security goals. So, it’s important to show off those certifications and attestations.
Are You Confident about Communications with Business Clients and Partners?
Many CIOs and other executives find it complicated discussing security and compliance matters with new business clients and partners, thanks to the complexity of the matter. As technology continues to play an increasingly vital role in business, connecting companies for a variety of reasons more each day, it is more important than ever for companies to develop the communications skills to address these issues to build trust and lasting professional relationships. Our I.S. Partners, LLC. team can help you brush up on these critical communications skills.
Call us at 215-631-3452, launch a chat session, send us a message or request a quote so we can discuss any needs you may have regarding security, compliance or business partner relations in our digital landscape.