The Patient and the Painter
There are two analogies I use more than any other when it comes to educating people about compliance and management; specifically risk management, as it relates to regulation, business processes and best practices. I have worked in compliance for over 10 years and in information technology (IT) for 15, and in my experience, they are very intertwined. This was not always the case. Technology has allowed businesses to scale but, technology has created its own problems.
Technology has introduced new risk to compliance and without quality, processes tend to directly impact business compliance. Let’s look at HIPAA for example. Before 1996, HIPAA did not exist. No one was really worried about privacy, there was a common trust factor within the healthcare industry. People assumed covered entities were doing what they needed to protect their patient information. People typically think of the Hippocratic Oath or Doctor Patient Confidentiality, but these deal with obligations more so than rights. Privacy and security are not mutually exclusive but both are addressed in HIPAA and many other compliance regulations.
So the question I get a lot is, “with all the rules and regulations around HIPAA, PCI, GDRP, NIST, etc. how do I know what I need to do, and can I just do something to make them all go away?” The first part of that is straightforward, all of the requirements are laid out by the governing bodies; it may not be easy to understand, but certainly easy to find. The not so straightforward answer is how they apply to your business. Once you know if they apply, and assessment will tell you what you are missing and then you will need to apply remediations accordingly, if any at all. In most cases, an assessment is required periodically, which can mean yearly or another set frequency. The second part of the questions is a little harder to explain but easy to answer. Just like you have to get on the bike and eat right to lose weight, there is no single pill you can take to rid you of compliance if it applies to your business.
This is where I like to start off with my first analogy.
The Patient
Without getting into the weeds, compliance simply is, anything someone else makes you do. Not only do you have to comply, but you also have to document and give evidence of your compliance. If you had a headache and you went to see a doctor, the doctor may ask some question, perform an assessment and maybe require MRI scans. The questions along with the scan results would give reason to treat your head or to recommend nothing as it may be a false positive or maybe related to something else. Additional test may be needed or no action required and you may be asked to come back if the problem persist.
If at the same visit, you told the doctor that your foot hurt, the doctor would then need to ask another series of questions and possibly run additional scans. It is possible that the two issues are related, however, the scans and questions would typically address each issue separately. There may be overlap in the questions and scan data may show some similarities (blood flow, etc) but you can bet that there would be major differences in the data collected from each assessment. This is exactly how assessments work with compliance. A qualified MSP and/or compliance company performs an assessment. If HIPAA and PCI is required, 2 assessments will be performed independently from each other. Some policies may apply to both, some scans may touch both data sets, and some remediations may address overall compliance risk, however, compliance requirements for different industries are addressing specific problems. NIST will probably get you closer to the overall health check you are looking for, but it is no joke and still doesn’t cover everything required in all other compliance requirements.
The Painter
Managed services comes up in conversation all the time when you are a MSP (managed service provider). I relate people asking others if they can do a project they saw on Pintrest. When they ask if they can do it for the same price shown, I roll my eyes. DIY (Do It Yourself) projects have DIY pricing, but when you ask someone else to do it, it is no longer a DIY, it is a DIFY (Do It For You).
Think of managed services, or really any service as T&M (time and material). You might think material is not always applicable, and I would say you are wrong. If you relate material to resources, education, experience, tools, etc. there is always material, sometimes it is just implied.
If I have a house that I want painted I have a few options:
Complete DIY
This method requires you to know something about painting. Sure you could watch YouTube videos but you have to take in consideration the fact that you may waste more time and materials (paint, brushes, tape, floor covering, etc.) than a professional, so your material cost is probably 15-25% additional than outsourcing work. You are paying yourself for services and managing the project.
Buy Paint, Outsource Labor
This is a great option if you can get paint at wholesale or discount (maybe using your painters connections). You know your cost up front, and there is cost transparency and very defined roles and responsibilities. You are paying for the paint yourself and paying someone else to manage the painting.
Contract Entire Job
Outsourcing entire job can be very liberating when you trust who you are outsourcing to. This is a key component, and not to be taken lightly. When trust is there, you can have peace that both services and management are handled. You may ask for updates or peak in the room to see how it is looking, day to day and overall, but the project is not your problem. You are paying for managed services including the paint all in one.
Each of these options show how there are two deliverables, time and material. Depending on what option you choose will depend on what risk you are comfortable with and how much time and resources you are able to allocate along with what expertise you have. Option 1 might make more sense when you are small and you have time, but as your company grows and your time is more valuable, maybe you can make more in an hour than what you are being charged for someone else to manage it. In IT, services are related to licenses, users, devices, networks, applications, etc. You need someone to manage that, hence Managed Service Providers.
Conclusion
At the end of the day, it is best to look at each project with a few questions in mind.
- Do I need this service and what value does it bring me?
- Do I understand what I need and how it applies to me?
- Do I have the skill/s required to perform this need?
- If I perform this need, what am I giving up to fulfill it?
- Am I comfortable giving the responsibility to someone else?
- How much value does delegating this need provide me
When answering these question you must also think and compare 1 to 1 regarding value. You may be able to perform a need for your business, but can you do this at scale, can you do it as efficient as a skilled professional in that specific field, and what costs are associated both short and long term. When understanding the patient analogy, you must view it from the doctors perspective. When understanding the painters analogy, you must view it from the perspective of the paint.