Compliance success? Start with your people and culture. A Q&A with Fun Man Andy
Share on socials
Compliance success? Start with your people and culture. A Q&A with Fun Man Andy
Selena Cass
11 October 2024
13 min read
Selena Cass
11 October 2024
13 min read
Jump to Section
Jump to section
How do different industries approach infosec and compliance?
How can compliance be effectively managed?
How can companies keep up with changes in the compliance space?
What impact will AI have on the security space?
What's your top tip for improving your approach to compliance?
Are companies investing enough in infosec and compliance?
How does company culture affect infosec and compliance?
How can leaders drive best practices around infosec and compliance?
What's the one thing you want us to take away from this chat?
Uncover the intricate relationship between company culture and information security, and find out why investing in compliance could be your competitive edge in this in-depth Q&A with Andy Barker, a.k.a, Fun Man Andy.
According to a recent PricewaterhouseCoopers report, 35% of risk executives see compliance and regulatory risk as one of the greatest threats to their company's growth.
With threats on the rise and the average cost of a data breach hitting a record $4.45m in 2023, the stakes of not getting it right are at an all-time high. So, what can organisations do to mitigate the risks and safeguard their business?
We put this question to Andy Barker (better known in the Atlassian community as Fun Man Andy) and chatted with him about all things information security (infosec) and compliance. We explored the changes he'd like to see in the industry and his top piece of advice for leaders.
Here's a recap of our chat.
As someone who has been an active member of the Atlassian community for a long time, how do you see different industries approach information security and compliance?
Over the past two decades, I've been lucky to work with a diverse range of companies of all sizes, from startups to large enterprises, both within and outside the Atlassian ecosystem. One key thing I have learned is that every company, without exception, wants to meet its compliance obligations, but it is a huge challenge, and there is no one-size-fits-all solution.
Every industry has its own regulations, which help to guide the priorities they need to focus on. The type of data they need to protect also influences how they approach it, for example, it could be about protecting customer information or data related to intellectual property rights. Whatever the case may be, there are a lot of different things to consider, making it a complex maze to navigate. Keeping up with all the changes that are coming through and understanding what action you need to take and why is a constant challenge for companies.
In your opinion, how can compliance be effectively managed?
It comes down to a number of things. But as a general rule, the most effective approach is when companies have their own internal quality or security teams that handle everything.
One of the best ways to look at it is from the perspective of a company's people, processes, and products and how they should work together to achieve the best results.
- For starters, people should always come first, as they know and understand what's most important. Although there is so much technology available now to support people, ultimately, the best results come from people being in control of the final decisions.
- The next step is to consider the processes and the specific rules and regulations that apply to your company's industry, as well as the processes that must be followed almost religiously to stay compliant.
- Then that leaves the products. They could be external products, i.e., what you sell, or internal, i.e., what you use. Either way, it's up to your people to understand what these products do and how to manage them to keep them compliant.
Regardless of the industry, standardising security procedures and having all the necessary documentation in place is crucial. Some industries and companies are definitely more ahead in this area than others, so there is still work to be done to get everyone on the same page.
What can companies do to keep up with all the changes in the compliance space?
Many companies don't understand compliance. That's more of an instinct from my own experience than a fact, but I think the problem lies with data and recognising its importance. Also, the prevailing view is that it is a necessary evil, just another box to tick rather than something they should prioritise.
Is it among the top five priorities? Potentially, for sure. But if we look at the fines being handed out across Europe, they are ridiculous. So that tells you that it is still not being taken seriously enough or given the attention it deserves.
Many companies focus on getting all their certificates and processes audited, but the bulk of the focus on compliance is still very reactive. There must be a shift from reactive to proactive, with companies actively seeking out apps like Upscale's to protect their data and prevent something critical from happening, rather than scrambling to put safeguards in place after the fact.
There must be a shift from reactive to proactive, with companies actively seeking out apps like Upscale's to protect their data and prevent something critical from happening rather than scrambling to put safeguards in place after the fact.
What impact do you see AI having in the InfoSec and compliance space?
I feel that artificial intelligence (AI) can be most beneficial when it comes to optimising systems. A great example of this is offboarding people in your company, which is really important, as it can pose a huge security issue if not done properly (or at all!).
You could use AI to track the contract end date on your HR system, notify the manager, and close all accounts relating to that individual on the appropriate date, avoiding the need to remember to check it manually.
The same applies to the general optimisation of systems like Confluence.
AI offers huge opportunities in terms of data cleanup, archiving, and other highly manual tasks.
For example, if a user hasn't been on Confluence for over six months, AI could be used to automatically flag this and deactivate the account if appropriate. The same could apply to pages that have not been viewed for a period of time.
In my own business, I can see the value in using it to support my monthly security audits.
At the moment, I do them religiously to check who is using what system, etc. The whole process takes me about five hours to double-check everything across multiple apps.
Ultimately, AI could do this work for me and give me half a day back to focus on other things. So it's about the empowerment of people to get time and energy back into their calendars, to do more, to do better. Whether that's having more time to improve your security practices or to focus on other parts of your business.
Many companies in the Netherlands have adopted AI and then retrained or reskilled their employees to work in other or new business areas. I think this is great. For me, AI should be used to take a lot of mundane and repetitive tasks out of people's daily schedules, not to replace them. I don't see that happening. Especially in the compliance space. At the end of the day, it's a tool, and you can't rely solely on tools, because that's when you're not paying attention. That's when it's not your top priority, right? So you're always going to need to have a human in the loop of any AI system. You're always going to need to have the human in the driving seat. You're always going to need your processes, and you're always going to need your products. The challenge is in finding harmony across all three.
What's your top tip for organisations to improve how they approach compliance?
Okay, just a warning: It's probably not going to be popular with many companies out there.
But my top tip is to overhaul or even scrap mandatory training sessions.
In reality, most people don't benefit from those sessions. They have to do them, so they focus on how to get through them as quickly and painlessly as possible. As a result, many people play the training on mute in the background and skip through it as fast as they can. Are they learning anything valuable in the process? Unlikely.
I think a better use of time would be for companies to focus on making training more interactive, helping people understand how risk relates to their role and what's at stake. People need to know what is happening with their companies and where to find the right information. Training has to be relevant to them. If you take this approach, you are more likely to make it part of your culture and make it real and memorable for people. Forcing mandatory training might tick a box, but it will never deliver the results you need.
Forcing mandatory training might tick a box, but it will never deliver the results you need.
Do you think companies are investing enough in infosec and compliance?
Like I said earlier, the approach is generally still very reactive. Are companies investing enough? Probably not. If I look at where companies, especially large ones, put their money, time, energy, and focus, compliance is definitely one of the areas that gets the least attention despite its importance.
I don't think that is something that is deliberate, it just comes down to the choice between putting £100k into making your company fully secure for the future or putting that investment into sales and marketing to increase revenue. It always comes down to the bottom line, but I think that is changing as consumers are now expecting, even demanding, companies they do business with, to be responsible and to show that they are investing in these areas.
That's why smart companies are now considering it a competitive differentiator, and it definitely can offer that. Investing in security and due diligence may not generate revenue, but it will certainly tip the balance if two companies invest in it and the other doesn't.
How do you think company culture affects infosec and compliance?
I think it's vital that people know the laws and regulations and how they apply to their roles and the industry. Company culture is really important in this as it sets the tone for what is acceptable and what isn't. This helps to build trust at all levels of the organisation and encourages people to do the right thing.
On the flip side, companies that have the wrong culture or even toxic cultures create an environment where disgruntled or disengaged employees are more likely to open back doors to risk or even decide to purposely harm the company. This can have devastating consequences at every level of the organisation.
The main focus should be creating a culture where people are comfortable speaking up and acting in the right way, and where everybody feels collectively responsible for following best practices.
What can leaders do to drive best practices around infosec and compliance?
Leaders need to lead by example but also listen to people and act on any feedback they receive. It is crucial to give people a voice and the opportunity to share their opinions and concerns, knowing that they will be taken seriously and followed up.
As Steve Jobs once said, "It doesn't make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do."
What's the one thing you want us to take away from this chat?
Ultimately, there's no difference between a startup and a 50,000-person company when it comes to data security. It doesn't matter how big or small your company is, or how much revenue you generate, from a criminal viewpoint, everyone is a target. And when it comes to regulatory fines, any business can fall foul. The best advice I can give is to give compliance the focus and investment it deserves. Don't put it off. It could cost you your business.
Staying compliant shouldn't feel like a burden
Find out how our range of powerful apps, including Encryption for Jira and Data Control for Jira can keep your Jira instance safe and secure so you can focus on what you do best.
Related Content
Read moreWritten by
Selena Cass
As a senior content marketing consultant at Upscale, Selena thrives in the ever-changing world of technology. With over 20 years of experience, she has worked across diverse sectors and specialises in crafting engaging content that captures attention, showcases expertise, and drives business growth.
InfoSec & Compliance
Atlassian
Related Content
Read more