How to Establish a Sustainable Compliance Program

Symcor’s Della Shea offers her award-winning approach to creating a formal and rigorous security system

After working in privacy, security compliance, and risk management for 14 years, Della Shea had her experience validated with the Information Security Executive of the Year Award from Tech Exec Networks in 2013. She’s charged with overseeing privacy for all information-management matters at Symcor, one of Canada’s largest outsourcers of financial processing.

1. Make compliance a priority

When chief privacy and information risk officer Della Shea was entrusted to lead Symcor’s Payment Card Industry Data Security Standard (PCI DSS) compliance program, such initiatives were fast becoming a greater industry expectation. The company is a critical service provider to the financial, retail, and telecommunications industries, so pursuing compliance was an important priority.

The PCI DSS is a comprehensive set of data-security requirements developed by the founding credit card brands through the PCI Security Standards Council. There are nearly 300 security controls—including requirements for security management, policies, procedures, software design, and network—and physical controls designed to protect customer credit-account information. Ignoring even a single control will result in a failed company assessment, and organizations tend to tackle PCI DSS compliance annually rather than as a continuous risk-management effort. “This is a model destined for failure,” Shea says.

Having a strong background in the disciplines of risk management and compliance helped Shea embrace the challenges of the PCI DSS regulations head on. She surrounded herself with a talented team of people whom she challenged to think creatively and do more with less, pushing them to link separate business objectives and create common processes that would leverage shared technologies.

2. Build a coalition of change

Starting out, Shea had to assess the impact that achieving PCI DSS compliance would have across her organization. “It was complex, so we had to look at it as a kind of journey,” she says. “That involved breaking down the big tasks into manageable parts that could be understood and tackled.”

To help with this, Shea pulled together, with strong support from executive management, a core task force that consisted of a seasoned program manager, a governance and compliance expert, and a security architect who was also a PCI-qualified security assessor. She also engaged external consulting firms early to ensure ideas and concepts that were successful in other markets were integrated, and she continually identified internal and external stakeholders that would play an important role throughout the compliance journey.

3. Create a sensible strategy

The first thing that Shea and her team did was seek the expertise of Symcor’s CIO and its architecture team to create a workable strategy. The talks between these groups evolved into an overarching program plan and business case that demonstrated what changes were required at a detailed level. “It was critical to make sure it was a team effort with inputs from many stakeholders, each having valid ideas and inputs into the process,” Shea says.

4. Reuse and repurpose for efficiency

Shea’s team worked with a simple mantra: reuse, repurpose, and collaborate as much as possible. Wherever the team could do something once and then have multiple business units leverage it, they did. For instance, building a core infrastructure and then, on top of that, building the business-specific requirements lowered overhead.

The team ran multiple projects in tandem in order to get the program done within a tight time frame. It helped that the effort was led by a talented program manager who could orchestrate so much and so many teams at the same time.

5. Inject governance throughout the process

Producing evidence of compliance to demonstrate the effectiveness of a security program such as the PCI DSS can be a challenge for many organizations. It involves determining what form and type of evidence to show auditors or external assessors in order to assure them that the program is working effectively during the particular time periods that they happen to be conducting their reviews.

“Governance cannot be an afterthought,” Shea says. “Determining the best approach to monitor controls to ensure they continue to work effectively is the foundation of any sustainable compliance program.” For this reason, she established a separate governance project and work stream from the initiative’s start.

6. Establish a sustainable culture

Building the right culture is something Symcor set out to accomplish early. The company kicked off its new program with a PCI Council lead-training day to give employees a foundation for the transition in the company culture. Representatives from the council visited Canada to train more than 80 people, including employees and select clients. Then, to follow up a year later, Symcor hosted an internal PCI DSS compliance conference, giving employees an opportunity to hear from their CEO and industry experts about the importance of security and their role in making the PCI DSS program a success.
__________________________________________________________________________

THE BOTTOM LINE

Job title
Chief privacy and information risk officer

Industry
Financial processing

Years in the business
14

Where did you start your career?
RBC.

Describe yourself in three words
Optimistic, collaborative, practical.

Advice to those just starting in finance
First, look for opportunities to do what you love, and surround yourself with people who have a genuine interest in seeing you succeed. Secondly, lead by the Golden Rule: “Do unto others as you would have them do unto you.”