CIOs need to manage risks effectively to meet compliance, not other way around.
The need to ensure compliance with regulations should no longer be the primary consideration of CIOs when planning IT risk and security measures, Gartner has suggested.
Compliance is an outcome of a well-run risk management programme and should not dominate CIOs’ decision making.
"By simply trying to keep up with individual compliance requirements, organisations become rule followers, rather than risk leaders," said John Wheeler, research director at Gartner.
"CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises."
Risk leaders evaluate anticipated compliance risks by tracking key regulatory and business changes. They then create a plan to address compliance requirements in a strategic and proactive manner that improves resilience and influences their business’ success.
Wheeler added that, too often, organisations still treat compliance activities as a checkbox exercise, with little regard for the related risks they are intended to address.
"If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round," added Wheeler.
"They must create a formal and defensible programme of controls based on the specific situation and risks unique to their business.
"The rules and laws should then be mapped into the controls that have been proactively selected, and a defensible case should be made that the laws are being appropriately addressed."
CIOs should work with their security and risk management teams to build a formal programme that can adapt to the changing landscape of regulatory requirements and that protects the organisation from anticipated risks, according to Gartner.
Key compliance and regulation issues will be examined in more depth at the Gartner Security & Risk Management Summit 2013, 18-20 September in London.