DEREK SMITH: ‘Box checking’ no security guarantee

A new era of technology-based businesses has begun. Technology is used for every aspect of business, from accepting client instructions electronically to processing credit cards, accepting wire transfers and storing employee and customer information. Simply put: Any business requirement can be met with technology.

As technology advances, more data is generated and security risks increase. The compliance frameworks that have been developed provide companies and their data with protection from the pitfalls of this new era. But, as important as it may be to follow compliance frameworks, simply “checking our boxes” does not guarantee your company and its data’s security. Given this situation, this writer argues that several shifts are required to survive the ever-changing business environment.

Enhance risk assessments

Risk assessments are among the primary tools that compliance departments use to identify, capture and control enterprise risks. In order to determine security risks, updating the risk categories and/or questions to incorporate new products, services, processes and applications may be necessary. What new regulations might be impacted by your company’s Fintech (financial technology) investment? It is also important to reflect on any changes in regulations that might have an impact on your company’s products and services when you conduct your risk assessment.

Strategic integrations

Compliance officers are able to manage compliance programmes using a variety of tools. It has always been the responsibility of the chief compliance officer and their staff to determine the value of these tools, and how to integrate them into existing processes. Evaluate whether regulatory technology currently deployed within your company is still sufficient when considering technological advances.

Information Security Governance (ISG) implementation

In light of the growing importance of corporate governance, cybersecurity and the associated legal and regulatory compliance issues, various companies have implemented ISG. ISG is the foundation of a strong security culture. There are many topics and theories on which ISG research focuses: Deterrence, neutralisation, rational selection, rational activity, organised conduct and security motivation. Unfortunately, while the current body of knowledge about security at an individual level is growing, there appears to be little known about security at the “governance” level in small island developing states such as The Bahamas.

There are three general goals for an Information Security programme, commonly referred to as the CIA triad - Confidentiality, Integrity and Availability. As data is used in many different ways within a company, maintaining its confidentiality is of paramount concern, requiring a set of policies and rules that define who is authorised to access the data. As such, information security frameworks and standards can only be implemented through control policies at a company level to manage security and risks. However, impediments arise when there is no standardised approach to ISG.


At this time of technological transformation, security should be a top priority. In addition to compliance frameworks that help companies to pass audits, organisations should equally focus on proactive security measures. It is possible to sharply increase your company’s overall security posture - and simultaneously meet compliance requirements - if you change your mindset from focusing only on compliance to one focusing equally on proactive security.

NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the compliance officer and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.


Use the comment form below to begin a discussion about this content.

Sign in to comment