Shift Compliance Left: Put Your Money Where Your Mouth Is

Welcome to the second instalment of our blog series on rethinking the three lines of defence model. Building on our previous discussion, where we emphasized the importance of putting customers at the core of compliance, this blog post delves deeper into the concept of "shifting compliance left." By practically creating products and services for the internal customers of the first line of defence, organizations can enable them to take on their accountability in the most effective and efficient way. The objective is to drive the right behaviours and make it easier for the first line to do the right thing, rather than relying on heavy-handed compliance measures. This concept draws inspiration from embedding security into the software development process and leverages behavioural economics frameworks. Let's explore how shifting compliance left can lead to transformative outcomes and the need for aligning efforts, resources, and budgets.

Creating Products that Drive the Right Behaviour

To facilitate a shift in compliance, organizations must focus on designing and offering products and services that empower the first line of defence. Just as embedding security into the software development process transformed the security landscape, we can apply similar principles to compliance. The aim is to make it easier for the first line to meet compliance requirements and take ownership of their responsibilities. By providing user-friendly tools, streamlined processes, and automated solutions, organizations can nudge and influence behaviour positively, enabling the first line to seamlessly integrate compliance into their daily workflow.

Treat the cause and not the symptoms

In what I regard staple reading for any person that considers themselves to be compliance or security professionals, Ian Levy, the NCSC’s departing Technical Director in 2022 wrote inter alia, "We’re still treating the symptoms, not the cause" and we need to focus more on creating products and processes that drive the right behaviours. Although his will also be subject to its own post, Behavioural economics provides valuable insights into human decision-making and behaviour. Leveraging this knowledge, organizations can design products and services that align with how people naturally think and act. By understanding cognitive biases, motivations, and decision heuristics, compliance processes can be designed to be more intuitive, engaging, and aligned with the first line's workflow. For example, implementing frictionless recertification processes or gamifying compliance activities can create a sense of ownership and encourage active participation.

Put your money where your mouth is: Reallocating Effort, Resources, and Budgets

If I would to ask you or anyone in the compliance community, would you prefer to get the controls first time right in the first line or would you prefer to catch the issues in the second or third line, I bet you nobody would raise their had for the latter. To truly shift compliance left, organizations must reflect this transformation in the distribution of effort, resources, and budgets. This requires a strategic approach that focuses on the gradual transfer of responsibilities and investments to the first line of defence. Not only does it require strategic thinking, but also letting go of traditional mental models that are emotionally connected to the base of the these compliance communities and professionals. We need more shared goals if we are to be successful, establishing objectives and key results (OKRs) and key risk indicators (KRIs) that drive this shift can help guide the organization's progress. Allocating more resources towards developing products and services that facilitate first line compliance, such as identity and access management, change management, and frictionless recertification, is crucial. The goal is to pivot the flow of work towards the first line, rather than burdening them with additional compliance processes. Take is cheap. Transfer money and resource from your compliance budget to the constraint the next constraint in the system. The first line and the product or services they use. Remember at any point in time there can only be one constraint in the system, and as pure Theory of Constraints tell us, SUBORDINATE everything else to the constraint, and then, only them move to the next one.

Driving Cultural Change and Organizational Alignment

Shifting compliance left is not solely about technological solutions or process changes; it requires a cultural shift within the organization. By emphasizing a collaborative and supportive approach, organizations can foster a culture of accountability, where compliance becomes embedded in the fabric of everyday work. This requires leadership commitment, effective communication, and a shared vision across all levels of the organization. When the entire organization aligns around the principle of driving compliance from within the first line, a significant and sustainable change can be achieved.

Conclusion

Shifting compliance left presents an opportunity to transform the compliance landscape by empowering the first line of defence. By creating products and services that drive the right behaviours and aligning efforts, resources, and budgets accordingly, organizations can foster a culture of accountability and efficiency. Leveraging insights from behavioural economics and following the principles of embedding compliance into workflow, organizations can make compliance an integral and seamless part of their daily operations. With a collaborative and strategic approach, organizations can truly put their money where their mouth is and drive impactful change in their compliance practices. Stay tuned for the next instalment of our blog series as we explore more thought provoking approaches to the compliance domain.