risk, too.” Not every item on the security
team’s to-do list is equally essential from
a compliance perspective—having legal
involved can help home in on the things
that need to be done immediately and the
things that can go, at least for a bit, on the
backburner.
“When you have a partnership between
security and legal, you’ll still get a list of
15 things that need to be done,” says Haubrich. “But there’s more discussion about
it, and a realization that maybe you can
wait awhile for some of it.” In the end, the
company gets the reassurance that it needs
on compliance, while outside counsel’s
burden—and costs—keep from getting
out of hand.
out, throw it back to the client, and then
they’ll banter back and forth, focusing on
data instead of dialogue.”
That dialogue—whether on-site or via
conference calls—is fundamental to do-
ing an audit right, says Boeckmann: “Both
and tell them what you’re trying to accom-
plish,” he says. “What your corporate needs
are, what your law firms can do to help ac-
complish them.” Such a venue would not
only give outside firms a heads-up on what
security controls they might need to put in
“You don’t want to put the
side being audited on the
defensive,” says consultant
Chad Boeckmann.
Make It Interactive
One mistake companies make, accord-
ing to Boeckmann, is to take what he
calls the “Excel spreadsheet” approach.
“They’ll send an assessment to their law
firm in a spreadsheet hundreds of lines in
depth,” he says. “The law firm will fill it
parties need to understand where the con-
cerns are, why those concerns are impor-
tant, and why they need to be addressed
from a regulatory or compliance point of
view. You have to have a candid and open
forum.”
Don thinks large companies could take
the collaborative approach even a step fur-
ther, hosting a sort of compliance summit.
“Bring all the law firms you use together
place—speeding up the actual audit that
comes later—but could trigger a collective
brainstorming session, where company
managers and representatives from firms
find ways to streamline and improve the
audit process.
Look to Standards
Compliance requirements will vary among
industries and businesses, making a one-
MANAGE RISK, NOT PAPER
COMPLIANCE TECHNOLOGY
OUT-OF-DATE?