“Hey, Dad, we’re supposed to write a report about a Greek myth, and the teacher assigned me the one about Sisyphus. Do you know anything about him?”
I’m glad my daughter still asks me for help with her English homework. I’m doubly glad when she doesn’t ask me for help with her Algebra homework.
And, considering that I work around IT controls for compliance mandates like SOX, HIPAA, PCI DSS and FISMA, I know something about the way Sisyphus felt.
I told her what I could remember about Sisyphus: that he had been a king in ancient Greece, but that he had gotten on the wrong side of the wrong authority. His eternal punishment was to roll a boulder up a hill, watch it roll right back down, then roll it back up again.
“I know,” my daughter said. “I found all that on the internet. But it’s dumb.”
“It is dumb,” I said. “It’s an exercise in futility. A lot of things are, and that’s the point of the story.”
“Yeah, but who would push a rock up a hill over and over again?”
“Not many people.”
Not many people except for IT managers dealing with compliance, that is.
Compliance is about mitigating risk, and most companies turn to IT to mitigate that risk by monitoring changes and preparing for audits. If you’re an IT manager or compliance officer in that role, you can pour so much effort into putting controls in place that it can feel like an exercise in futility. If you fail an audit because you’re monitoring and re-assessing IT controls ad hoc, you too can end up on the wrong side of the wrong authority and have to start from scratch again. That will feel a lot like rolling a boulder up a hill over and over. Probably worse.
“I still don’t buy it,” she said. “It’s too gruesome and it’s a crummy story anyway.”
I had to agree with her there, so I tried to explain futility in terms that a 11-year-old would understand. I sounded a lot like somebody explaining what happens when you don’t automate IT controls and safeguards for compliance mandates: more frustration, more wasted effort, no real progress.
My daughter wasn’t having any of it. “But why would they make a myth about futility?” she asked. “Why would they say that somewhere there’s a poor jerk who has to push a boulder up a hill for the rest of time?”
Those questions I couldn’t answer. There are better ways to explain futility to your daughter, and there are better ways to describe all the work and re-work that go into doing continuous compliance without automation.
But Laurel and Hardy found the best way of all.
There weren’t many IT controls in place in 1932 when Laurel and Hardy made The Music Box, but there was plenty of frustration and futility. With the best of intentions, the duo spend much of the short film lugging a crated player piano up a flight of 131 steps and watching it careen back down the steps over and over. It’s pure Stan and Ollie, which is to say a textbook case of doing everything the hard way.
I played it for my daughter, who laughed through the entire thing. “That’s the Sisyphus reboot, isn’t it?” she asked when it was over.
“Yes,” I said, “only not as hopeless or tragic. You can see a dozen ways why the whole thing shouldn’t be as difficult as they make it. If they got their act together, they could get around all the work and re-work, and make their task easier.”
Just like those IT managers struggling up the hill (or staircase) of ever-changing compliance mandates.
There are ways to automate many of the safeguards required for IT security in SOX, HIPAA, PCI DSS, FISMA and other mandates. You’re in regulatory compliance when you can demonstrate appropriate IT controls for mitigating the risk of fraud and protecting electronic information. The best way to do that without having the boulder (or music box) roll back over you is by automating your monitoring, self-audits and reports to show how well you’ve buttoned down your environment.
If my daughter goes into IT someday, maybe she’ll see that. Meanwhile, at least she can get on with her homework.
So who is your compliance hero: Sisyphus, or Laurel and Hardy? Either way, you can make compliance easier by automating the IT controls your organization looks to you to put in place.
Read our latest tech brief. It examines IT security compliance from an auditor’s perspective for several IT-heavy compliance mandates—SOX, HIPAA, PCI DSS and FISMA—and the implications they have for your IT security efforts.
And when my daughter finishes her report on Sisyphus and futility, I’ll send you that, too.