April 15, 2026
Compliance is a Team Sport
A client called me recently and said "I've heard you say that compliance is a team sport, but I'm struggling with how Operations fits into the compliance program?"
Good question! Let's talk about who needs to be on your Compliance Team.
Of course, IT has to be on the team, but IT cannot be the entire Compliance Team! Cyber security and compliance are not "IT problems," they are "whole of business problems." Until your organization understands this, your compliance program will not succeed. Remember that of the 110 controls in NIST SP 800-171r2, only about 1/3 are strictly technical. Another 1/3 are strictly policy and procedure, and the remaining controls can be met with either or a combination of the two.
Physical security has an entire domain in its portfolio (literally called "Physical Protection (PE)") but will also figure in some other controls (Incident Response (IR) is the first that comes to mind.)
HR is the next obvious choice, as they are most likely the central figures in the domains of Awareness and Training (AT) and Personnel Security (PS). They would also be part of your Incident Response Team (actually, every department should be represented on the IRT), and would likely be involved with some controls in other domains (Access Control (AC) jumps right out as an example).
Contracts management may be legal counsel, may be a compliance person, may be a contracts manager ... this role will vary in each organization, but this is an important part of the Compliance Team. Requirements come from contracts. If you don't know (and understand!) what is in your contracts, it's impossible to define your scope of compliance.
Finance might be involved, for example, as it's often the finance department that maintains the asset inventory (for purposes of tracking depreciation and obtaining appropriate insurance coverage).
Who else? Do you have an internal audit group? That's a great addition to your Compliance Team. What about an R&D or testing division? They often have unique needs that need to be considered. Maybe your business development lead wants to be involved -- they interact directly with the customers and may have the best idea of what requirements are coming up for you. QA/QC? They are usually very good at documentation and typically have audit experience. Supply Chain Management? Those compliance obligations may need to flow down to your vendors and subcontractors.
Oh geez, we haven't talked about Operations yet! Is that because Operations is the least of these? No, it's because Operations has responsibilities in nearly every aspect of your compliance program -- because Operations conducts the day-to-day activities that handle protected data. Operations is a critical part of your Compliance Team.
In what ways? Well, Operations is often involved in defining job duties and access permissions. Operations oversees the employees handling data and knows whether they are following the rules or not. Operations plays an important role in your Change Management Process, because any changes to process have the potential for disrupting Operations. Operations may have responsibilities for securing infrastructure and performing maintenance. Operations is a critical piece of your Incident Response (IR) and should be involved in your Risk Assessment (RA). Even the domains that are typically the responsibility of IT (Configuration Management (CM), System and Communications Protection (SC) and System and Information Integrity (SI)) will need input from Operations for at least some of those controls. After all, IT installs and configures the technology -- but it's Operations that actually uses it to do the work of the business!
These are the roles I consider most critical to an effective Compliance Team, but your organization may need more, or simply others. It depends on your structure and culture.
So, can I help you put together your new Compliance Team? Reach out.
Sincerely,
Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107