A wide range of solutions exist to address the increasingly complex requirements of data privacy regulations. Often lost in the conversation, however, is the importance of communication. We spoke about that with CipherCloud’s Chief Trust Officer Bob West. Bob drew on his experience in the financial sector to discuss best practices for communicating compliance policies in banking.
Can you tell us about a regulation that demands better communication in financial services organizations?
Bob West: On the consumer side, there’s the Gramm-Leach-Bliley Act (GLBA), which governs the fact that banks need to protect customer information. It requires a comprehensive information security program, written documentation and processes, and administrative, technical, and physical safeguards. And of course all these efforts need to be coordinated across the entire organization.
How should banks handle this?
Bob West: Communication across an enterprise can be a challenge. My first tip is to engage someone either in communications or marketing to write very clear communication. There’s a baseline responsibility for all employees, and then there are those of the executive team and responsibilities for people who work in technology. For technologists, that communication is particularly important because people who manage technology have a strong influence in how information is protected. Fundamentally, you have to have a very strong blueprint that says “Here’s how to communicate with all divisions and departments.”
Once they have that blueprint, how can organizations best communicate requirements to employees?
Bob West: Communicating in terms that a broad population understands is absolutely a challenge. That can be difficult for most technology and security organizations, because they’re used to using complex language. One of the most important things at an enterprise level is communicating in terms that employees in general understand so they know what their role is in protecting information. If that doesn’t happen, people begin to question their role in protecting information. That’s why it’s very important to communicate in clear language.
I would use multiple methods to communicate it. Some people consume email and pay attention to it. Some will look at written information. Some will look at intranets. I advise people to have multiple communication methods—the more the better. As an example, if you have an internal newsletter, whether it’s physical or electronic, embedding information about complying with regulatory requirements is great.
Putting a finer point on that, when you communicate with branches, particularly in large banks with 1,000 or 2,000 branches, there’s typically formal communication that goes out from corporate HQ to the branches. Getting engaged in that mechanism is something that’s really important. People pay attention to this type of communication and as opposed to having a one-off message.
Communicating the importance of complying with regulatory requirements should come from the CEO. It’s one thing for a CISO to communicate something, but if it’s much more impactful if comes from the CEO.
It becomes about the top of the house agreeing that regulatory compliance is a high priority, articulating what we need to do and why, and finally communicating that in really simple language so that everyone understands their role in protecting information.
How important is awareness and education to help organizations comply with regulatory requirements?
Bob West: Very important. There are a lot of technology people that instinctively have the reaction of “What’s the tool I need to buy to solve this problem?” And while there are some good pieces of software to aid in awareness and education and security and risk, ultimately it’s about influencing the behavior of people. The way you do that is you communicate very clearly why you need to do things. There are simply a lot of organizations that don’t communicate that well.
How does your organization handle compliance communications? Tell us your experiences in the comments.