4 Roadblocks That Challenge 24/7 IT Security Compliance

Written by Ashley Gwilliam on March 17, 2023

Share This Article

Have you curled up with any good IT compliance books lately?

Yeah, we haven’t either — except for JumpCloudian Kate Lake who has been digging into The IT Manager’s Guide to Data Compliance Hygiene. Understandably, most IT managers avoid dealing with compliance until deadlines are looming. 

Maybe it’s because the subject matter is about as dry as one of those bird seed-looking crackers. You know, the kind you can only buy at organic and specialty grocery stores. 

If you’re not into bird food, or you’ve been too busy troubleshooting tickets, monitoring security threats, and onboarding new employees to look into compliance protocols, this article is for you. We’ll discuss the four most common surprises you will likely encounter when spearheading the IT compliance audit process for the first time. 

Whether you’re prepping for SOC 2, PCI DSS, or another security standard, use the following information to mentally prepare for what’s to come.

4 Challenges to Staying IT Security Compliant 24/7

Audit business concept. Examination and evaluation of the financial statement of an organization; income statement, balance sheet, cash flow statement. Businessman touching on audit, smart background.

Data compliance necessitates following several overlapping guidelines ranging from disclosing how collected data is used to restricting access to sensitive information to fixing security vulnerabilities to ensuring the accuracy of information.

But the real challenge lies in meeting these obligations in the context of having to comply with multiple regulations at once! Let’s discuss some common challenges you may face when implementing compliance regulations and how to confront them:

1. Long Review Periods

Timing — it’s one of the most nerve-wracking aspects of data compliance audits. Take SOC 2 Type II for example. 

It involves a 2 to 3 month remediation period followed by a 3, 6, or 12 month observation period. The length of the observation period is up to your organization. 

During this period, auditors can conduct interviews with stakeholders, request evidence of controls, and assess compliance at random. Unfortunately, this means they may happen to choose a nontypical day with a high number of control failures. 

In such instances, it’s your responsibility to explain what’s going on. For example, you might present the auditor with a list of your devices and a list of items that aren’t yet compliant. You might then say something like: we have tickets open on 10 devices and a handful of devices that were recently deployed for new hires yesterday

Consistent and clear communication is essential. 

2. Unclear Control Guidelines

The next frustrating roadblock you may encounter are ambiguous control guidelines. Regulatory agencies provide little guidance toward selecting and defining controls. 

While certain guidelines leave no room for misinterpretation (e.g., employ multi-factor authentication), others provide significant leeway on the best course of action for achieving results. 

person typing on a computer

Even the AICPA is a bit vague when it comes to providing instructions for SOC 2. With dozens of controls spanning multiple security avenues, it’s easy to get lost in the weeds. Audit workflow software is one way to expedite the process. 

In addition, the JumpCloud open directory platform provides recommended policies that you can turn on with the flip of a switch. The platform’s customization makes it easy to automate the most common controls and hygiene standards you need to achieve compliance. 

3. Competing Regulatory Requirements

Sometimes the problem isn’t “not knowing what to do,” but navigating seemingly conflicting standards and regulations. Just ask Idan Mashaal, JumpCloud senior EMEA solution consultant and Israel country manager. 

During his time as employee no. 5 at Plus500, Idan confronted many unexpected challenges while managing requirements from multiple countries including the UK (FCA), Australia (ASIC), Cyprus (CYSEC), and more.

“In one particular instance, the GDPR said we needed to allow users to be forgotten, but the financial regulations said I needed to store the information for seven years,” he said. “So, we were in a debate between the law and the European Union, which dictated a 50 million euro fine, and the license that will allow me to make money.” 

In addition, the GDPR only applies to the EU, which begs the question: Should the organization apply the regulatory standard universally (at the expense of global business) or should it create a system for separating businesses outside of the EU?

Ultimately, Idan realized “the right to be forgotten” isn’t synonymous with the “right to be deleted.” The solution was to “forget” who the user was as a person while still keeping the data intact. This is just one example of the many types of unexpected situations you may encounter when becoming compliant. 

4. Balancing Usability and Regulatory Compliance 

Balancing data compliance controls with workflow efficiency isn’t always easy. In some cases, regulations present unrealistic parameters that defeat their purpose. For example, say one regulation requires the enforcement of a lock screen mechanism every 10 minutes. 

But your research and development (R&D) department says that any locking mechanism under 15 minutes interferes with their daily processes. This is just one of many small, but significant challenges that can occur when balancing controls with user experience. 

Admins are often faced with answering a difficult question: Do we run the business most effectively or most securely? This unintentional catch-22 can make it even more difficult to find effective solutions that achieve both ends.

Shot of a young woman helping her colleague in a call centre late at night

As an IT manager, you can and are expected to solve problems in innovative ways. You can ideate creative workarounds as you build toward compliance so long as you can:

a) provide the reason behind the control failure and

b) provide documentation of proposed remediation. 

In such instances, your auditor will check back in 30 days. As long as you have followed through with your remediation plans, and demonstrated intelligent thought in following guidelines, you’re in good shape.

Remember: auditors aren’t pencil-pushing enemies analyzing rows of data for breakfast! 

They are supportive professional partners who possess valuable insights to help you succeed. 

The more transparent you are from the beginning, the better equipped they are to propose unique solutions to your problems. Work with your auditor to seek solutions to whatever makes it tough to follow a particular regulation, rather than assuming nothing can be done. 


The IT Manager’s Guide to Data Compliance Hygiene

How to ace your audit

Simplify Security Compliance with JumpCloud 

If you’re ready to streamline IT security compliance planning, we recommend consolidating your stack as much as possible. Fewer tools means less time spent sifting through copious amounts of compliance data and less risk of human error when cobbling it together.

JumpCloud’s Directory Insights feature allows admins to access a variety of data points that can be quickly filtered for internal and external auditing purposes. Admins can also enjoy Users to Devices, Users to Servers, and Users to Directories advanced reporting options. 

Ready to get compliant? Our IT Compliance Quickstart Guide will walk you through how to prepare for an audit and how to boost your IT security baseline. 

Click here to visit our IT Compliance Quickstart Guide

Ashley Gwilliam

Ashley Gwilliam is a Content Writer for JumpCloud. After graduating with a degree in print-journalism, Ashley’s storytelling skills took her from on-camera acting to interviewing NBA basketball players to ghostwriting for CEOs. Today she writes about tech, startups, and remote work. In her analog life, she is on a quest to find the world's best tacos.

Continue Learning with our Newsletter