Answer at least one of the following questions:
You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.
- How do you garner support for this effort if the organization disagrees with the regulator’s finding?
- What would your project plan look like if you must correct this finding prior to the next annual audit?
1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?
Organizations must meet some kind of requirements. There is some regulatory body that the organization needs to adhere to due to the nature of the company. As norm, the company has someone who audits them to ensure they are complying and look for any discrepancies. People tend to find these things daunting and don’t want to deal with it.
The way you garner support for this effort if the organization disagrees with the regulator is to bring up the positive impact of redefining the Incident Response Planning. As the consultant, you raise that not continuing with effort it could lead to fines or other negative impacts. Going the route of speaking to the negative impacts may not be as useful. It will be better to talk about the positive benefits like being more secure which means less likely to be breached or attacked. A consultant can also argue that the company can now say they adhere to the regulations and possibly mention the company has gone beyond the minimum standards. It will sound better. The company is expanding what it can do and it will show what they are capable of and how they are taking the requirements seriously. It can even entice people to buy the company’s products or services.
Hi Elizabeth:
Certainly, raising the positive benefits of addressing the finding is a good path to follow. I’m on your side on that note and will naturally tow the same line preferring to dig deeper into the finding seeking factual evidence to uncover the material weakness as stated by the regulators.
Most regulators work purely on factual evidence and its ok to disagree if an alternate evidence to prove the regulators wrong exists.
Navigating this curve to garner support of the organization requires a careful reconciliation of facts between what the organization thinks and the findings or the regulators.
Elizabeth,
I definitely agree with your statement about showing the their up the positive impacts that an IR plan would have an organization. From my perspective the most important thing is that the company understand how much it would save in the long run with this plan in place. They need to understand the risk associated with no having one and making sure they are aware of worst case scenario what could happen if something were to occur. I think a lot of management is sadly driven buy a numerical dollar amount and they will understand that the positives would be they could save money in the long run even though its a pretty high initial investment.
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
It is very likely that the regulator found something that does not comply with the organizations main goals or business requirements. Aligning the discovery of the regulator with the organizations business goals/plan or culture should inspire an unsupportive member. Compliance could be the main reason for a redefinition of the Incident Response Program. Providing an assessment of monetary cost (fines, lawsuits, etc) to the organization with a scope of five, ten, and twenty years verses the upfront cost of change today would also sway a visionless C-level executive. Help can also come with numbers. Try finding others within your organization that can agree with your goals and ask them to help push your initiatives.
Brock,
I agree that is the regulator was looking around and it got to the point where they need to garner support to make a change that management should definitely hear them out. If there is a situation that requires a change in the plan or a creation of a plan as a whole it could save the company money and time in the long run in case something happens.
You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
Garnering support for an initiative that no one believes is correct is a daunting task. The first thing that should be done is to discuss the findings with the regulator and try to get a better understanding of the result. It’s possible the regulator is wrong, not everyone is infallible. This evaluation must be done with senior management involved. If the regulator and the organization still disagree on the findings, I think the next step would be to involve the regulators superiors to ensure the regulators ruling is correct. If the findings are ruled to be correct, then the organizations should do everything within its power to understand why the regulator is stating that this is the correct finding. If the organization still disagrees with the findings, they must, at the very least, come to terms with the fact that this is a regulation and they must comply with the letter of the law, even if they disagree.
Rules and regulations are put into place and an organization is bound to comply with them. Even when disagreements are present, the ramifications of not complying could be drastic. To garner support, senior management must understand that compliance is vital. Senior management should make the organization understand that, while we may disagree with the findings, we are going to comply with the law and take the action that is necessary to correct the finding. Also, senior management could express that even though they are complying, they are going to continue to express their concern over the findings and maybe change the regulations, or get a better understanding of the required regulations.
1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?
There needs to be support from the organization to understand why the Incident Response Program needs to be redefined. Organizations should comply with regulations as they help ensure that the organization is running properly and in a secure manner. It is not an easy task to gain people’s support for something that they disagree with but I would try to make them understand the benefits that this may have on the organization and how it in the end helps in accomplishing the organization’s goals and objectives.
2. What would your project plan look like if you must correct this finding prior to the next annual audit?
The project plan needs to be documented in a way where the benefits are clear to senior management and to employees to ensure they understand the purpose of addressing the audit finding and resolving it. Presenting the impact that this audit finding will have on the organization negatively and how it can impact the organization’s mission and goals will give senior management and employees a clearer reason of why this needs to be addressed. Thorough planning, testing and agreement from senior management will help guarantee that the audit finding is corrected in the next annual audit.
Dima,
In regards to your response to question 2, I could not agree more. The positives/benefits need to be outlined in the project plan. The plan needs to encourage the employees and make the movtivated towards correcting the findings. One can mention the penalities a s a note but I think it is more encouraging to go into detail about the benefits. I think one would get more out of the employees that way.
Dima,
I agree at the end of the day documentation is key and making sure that everything is outlined clearly and consistent it would help in the long run. I do agree with your statement that “Thorough planning, testing and agreement from senior management will help guarantee that the audit finding is corrected in the next annual audit.” I think as long as everyone is on board and the documentation is correct it could be ready for the next audit cycle.
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
I would identify the risks of not completing this work and the level of effort required to mitigate the risks. The penalties of not complying and vulnerabilities getting exploited might be substantial enough to get senior management’s attention and have them invest into redefining the Incident Response Program. All this is required to be researched and presented to management in a formal matter. In order to better understand the issue, I need the regulator to provide evidence and information regarding the finding. Just saying it is an issue is not good enough. In order for management to be persuaded, they must understand the What and the Why.
What would your project plan look like if you must correct this finding prior to the next annual audit?
There will be multiple steps included in the project plan. First, I would need to identify the required parties and the owner of this issue. Then we would need to understand the requirements and potential impacts. The LoE would need to be determined and the ETA for completion. Another step would be to identify the testing that is required and how to communicate the change to relevant parties.
If a company disagrees with the findings of the regulator it will cause a challenge to obtain support for an incident response plan update. It is important to get senior leadership involved so that they can get the proper support for redefining the incident response plan. You should present to senior leadership the ROI if the company were to invest in fixing the incident response plan based on the findings of the external company. There is also a customer relationship with a trusted company in industry that is helping with this. Also there is the fact that you could run a simulation to prove in black and white why the plan is so desperately needed and needed to be accurate.
Jonathan,
I agree. Senior leadership needs to be involved in situations like this and needs to understand the purpose of redefining the incident response plan. Once there is the support from senior leadership, it would a lot easier to get the other employees within the organization on the same page as well. It will require presenting facts to let them understand why the plan needs to be redefined and what impacts this has on the organization.
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
Like in many top-down management styled organizations, the initiatives, goals, and directives come from senior management. Buy-in from senior management is critical in communicating any new policies or process. In a top-down organization, tone and expectations are trickled down from leaderships. In most cases, it’s not up to the organization to agree or disagree with regulations. Regulations on InfoSec requirements are intended to improve and regulate the information security levels of organizations within that industry.
Hi Duy:
I definitely agree with you. The tone at the top determines the overall level of effort required to garner support if the organization disagrees with an audit finding. Thus, if leadership is fully engaged with the audit process as expected, the organization’s leadership will not rail against the finding but will necessarily possess an in-depth knowledge of the control environment; and as such will be able to navigate and unearth the root cause of the finding and required corrective steps – if any as well as provide evidence as to why the finding does not speak true to the control environment.
Duy,
You made a good point, leadership is one of the keys. You need leadership to speak up about their support of the regulators in a postive tone. If the leaders are on board, so will the majority be. When it comes to these topics, I have seen where their a large virtual meetings where many people from the team can attend and leaders are speaking and having a fluid conversation. That could be something that could work when wanting to flow down the support.
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
I’ve come across questions like these a few times, one or two times, interviewers have asked me questions like – what do you do when an organization would not accept a finding?, or what do you do if the organization is not taking steps to remediate on a finding..
The organization should not blatantly ‘disagree” with a regulator’s finding, because a finding indicates that some form of substantive/compliance testing has been performed, and there are documentations that attest to the findings, documents don’t lie too.
A finding in an Incident Response could have a serious impact on an organization depending on the nature of the organization’s business. The consultant should garner support by explaining this and giving (quantitative and qualitative) real life examples/scenarios of what could happen if the Incident Response plan is not redefined.
Hi Stella,
I have to agree with you and if I’m correct auditing is your bread and butter and as such, your opinion is a professional representation of your experience in the field.
A blatant disagreement with the regulators will not serve the “auditee” well because such findings are necessarily a call for improvement and should be well received and acknowledged, researched and if found true, the “auditee” can proceed to establish a substantiated valid evidence to the regulators.
Since it’s a regulatory finding, I would garner support by explaining the consequences of not complying with a regulatory finding. More then likely the consequences would include but not limited to criminal penalties, Legal Action, Reputational Damage, and Fines.
My project plan would include the the following items:
-The finding
-Work Breakdown Structure
-Deliverables
-Mitigating controls
-who will implement the mitigating controls
-Schedule
-Budget
-Communication
Sheena,
You make valid points. Presenting the consequences of not complying with a regulatory compliance can help employees understand that they needs to support this. There are obvious reasons why this is needed and the next step would be figuring out the project plan of why this needs to be implemented. The items you included in the project plan are all important from these different items we see that the organization as a whole needs to be in this in order for this project plan to be implemented successfully.
What would your project plan look like if you must correct this finding prior to the next annual audit?
_____________________________________________________________________________________________
Addressing an audit finding is a procedure that calls for a carefully thought out project plan. Of course, some findings require minimal effort and resources while some others require a budget that needs to be carefully disbursed to fully meet the compliance and conformance to the finding.
My first step would necessarily be to determine the root cause of the finding. Asking the question why the gap exists will form the basis of the project plan and the required corrective actions.
In defining my project plan, three answers need to be answered; who is responsible for resolving the finding, what is required to be done and then finally the timeline as to when the corrective action (s) must be completed in tie before the annual audit occurs.
A broad overview of my project plan will include the following;
1. Root Cause
2. Project scope
3. Project team members – with specific assigned responsibilities
4. Time-frame for corrective action (s) implementation – Start and Finish date
5. What actions needs to be carried out
6. Project close out – Report generation
7. Ongoing review and monitoring
Oby,
Interesting points. I agree first there needs to be an understanding of the gap that exists that is requiring the organization to make these changes. Understanding the gap ensures that there is careful planning in this future project that addresses and corrects this gap. Assigning responsibilities to the different team members is also an important task as this ensures that we have the personnel that will aid in completing this project which is the reason we need to have the full support from the organization.
Oby,
Much like Dima has mentioned i do feel like there needs to be a clear understand of where the disconnection is so that there can be a plan put in place. I think that the idea you put out with the different steps was great and a different way to answer the question. I think that at the end of the day the three questions that need to be answers that you mentioned is probably a great way to look at the problem and if you are able to resolves these questions then the issue should be resolved.
1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?
In order to gain organizational support, it is important to understand that you are not necessarily trying to make the leadership agree with the findings. The most important part is getting those in charge to understand the importance of the findings and agreeing to redefine the Incident Response Program. While making the organization agree with the documented findings would make the rest easier to deal with, it isn’t the only method to getting leadership to act.
Getting senior leadership buy-in is key to getting the organization to act. One of the best ways to accomplish that, is to show how the regulator’s findings will impact the organization if no action is taken. This can be monetary impacts or an impact to the company’s reputation if the program is not redefined. Furthermore, assessing and presenting risks involved with not complying with the regulator’s findings will aid in gaining executive buy-in.
This is so near an Intrusion Detection assignment I feel guilt. I have a slide deck for this.
Support for direction in redefining the IRP would best come from same vertical or business peers. If peers comply, compliance is the suggested path complete with their map. If they disagree they set precedent both in disagreement and in how ~they~ corrected the finding. The ultimate support is knowing the regulators will be by again.
Actual handling should mirror a breach as mitigation of such risk is the goal of regulation in the first place. The Business Impact of a finding can be the Business Impact of a breach less damages.
The project plan would be steps to build a Security Operations Center…In this case a team not only to work through the current regulatory question but recognizing the iterative need – you may be able to achieve compliance and a generally secure state now, but wait and that will surely change.