One of the major problems that organizations face when they’re reviewing their compliance program is understanding why they are doing what they are doing and how to achieve a ‘steady state’ where compliance becomes part of the scenery rather than an ongoing struggle. For many organizations, this state seems to be receding ever further into the distance. Each year bring more controls that need to be implemented and monitored. Every gap analysis finds more gaps and every effort at remediation appears to lead to little relief.
Part of this issue is that for most organizations a ‘gap analysis’ is about the worst thing that they could be doing. A ‘gap analysis’ frames the situation to prejudice an outcome and rarely helps an organization get closer to a steady state of compliance. Framing is a term from linguistics which describes how the choice of words activates certain emotions and thought patterns. With a ‘gap analysis’ the framing works like this: Gaps are bad. Analyzing and fixing gaps is good. Having no gaps is best of all. However, in practice there are always more gaps to be found. Existing gaps may reoccur in other forms or auditors will just dig deeper to find smaller and smaller gaps. But seeking to identify weak areas is good. It shows that we care about what is wrong. Therefore we should do gap analyses.
Even in organizations that are highly compliance focused, this approach doesn’t make a lot of sense. It provides a never ending stream of ‘remediation activities’ and ‘refresh testing’ which keeps people employed and consultants in business, but it may or may not contribute to making organizations more secure or compliant. And after a point, there is not much point in being more compliant than is enough to achieve a particular sign-off or to provide a level of due care should an organization be sued.