How to embed culture of compliance in your company

As a security professional, you know how hard it can be to make security and compliance an interesting topic for the colleagues outside your department. Any time you mention access controls or multi-factor authentication, you can actually see their eyes glaze over as they disengage from what you’re saying. It’s disheartening, really. 

However, when it comes to solidifying your company’s security and ensuring compliance with key standards like SOC 2, you need everyone to work together towards those goals. Robust compliance can’t happen without absolutely everyone in the organization being on the same page about the value of security. 

So, how do you turn those disinterested individuals into security advocates? You build a culture of compliance. 

If that sounds like a complex task, it’s because it is. Changing how your colleagues view compliance isn’t going to change overnight. That’s why we’re sharing some best practices to get you started. 

Start by getting your leadership on board 

Your leaders play a massive role in setting the overall direction and culture for your company, and getting them aligned on the value of compliance will go a long way in ensuring everyone else follows suit. As you approach each leader, remember: each one will have a different driver for making compliance happen. 

• Your CEO wants to protect the company’s customers while also ensuring that employees are being as efficient as possible. So tell them how SOC 2 compliance will help with both those areas. 
• The Chief Revenue Officer (CRO) wants to close deals faster, without having their team spend extensive amounts of time on security questionnaires. They’d love to know how a SOC 2 report can cut down the time to a deal. 
• The Chief Legal Officer (CLO) is looking for the organization to be as protected as possible from a liability standpoint as possible. Fill them in on how SOC 2 is a leading standard for security. 
• The Chief Technology Officer (CTO) wants to protect the time of their engineers and developers, so that they can focus exclusively on building and refining the product. Show them how embedding compliance can help with that. 

In your conversations, make sure you’re accounting for these perspectives, and make it easy for them to understand what’s in it for them and their team. This will quickly make them compliance ambassadors. 

Connect everything back to the organization’s core values

Your colleagues already operate within an environment that’s framed by the corporate values — so leverage that framing. Take the list of values, whether there’s three or 10 of them, and see how each of them can help drive compliance. Do the exercise of writing down these connections, and then present that back to the rest of the company. 

Once you’ve done that, any time you share an update from the compliance journey, or ask employees to make a change in the name of compliance, you can frame it in the context of one of the values. 

Make it a two-way conversation

No one likes being told what to do, and that remains true when it comes to compliance. Our advice? First, do everything you can to show why being compliant is important (like connecting the dots for your executives and aligning your initiatives to corporate values). 

Then, set clear expectations around where you’ll need everyone’s help and how involved they’ll need to be. Having a roadmap or calendar of requests can be useful here. 

Lastly, always keep the door open for questions and recommendations. People may want to know more or might have an idea for how to execute a particular compliance initiative. 

Keep it entertaining 

We started this piece by talking about how most people find security and compliance boring, and no matter how much you get people bought into the value of compliance, that’s not going to change. So, have fun. 

Consider gamifying some of the security changes you’re making. For example, if you’re rolling out multi-factor authentication, consider giving out a prize to the first five people who add their factors. If you do this with enough initiatives, you can have a Compliance Leaderboard with a Champion that’s announced at the end of every quarter. 

Alternatively, once you’ve done a couple of learning sessions or announcements on security and compliance, host a quiz event. See who on your team can get the most answers right about your compliance journey. (But maybe exclude anyone from the security team.)

Don’t forget to add fun into your communications, as well. I once had a security change manager who added memes and puns into each of her security updates. This was impactful because it made talking about security less intimidating. 

Leverage the right technologies

Part of ensuring compliance will require tooling and software that your colleagues will have to adopt. Spend the time finding solutions that are easy to use and integrate seamlessly with the technology your company already uses. Doing this will minimize any potential friction and ensure the transition to new tools is smooth sailing. 

You know it, we know it: compliance is an increasingly important part of any company — but it’s not always easy to execute on. We hope these tips help you better engage with the rest of your team, so you can build a strong culture of compliance.

Pima.app makes it easier than ever to share compliance documents with third parties. Learn more about how our customers use our tool.

‍