Risky business: Marriage of compliance & security

Share this article:
Risky business: Marriage of compliance & security
Risky business: Marriage of compliance & security

Compliance obligations don't ensure security, but companies can marry the two to reap rewards, reports Julie Sartain.

With the threat landscape expanding in every direction, it's never been more necessary for companies to ensure that their proprietary data is protected from the growing army of saboteurs intent on stealing it. Complementary to these concerns, however, is the added requirement that companies get in line with state and federal regulations and industry mandates. While many regard compliance as a headache, others recognize that ensuring an enterprise is ready for regulators can also add to its security posture. The tough part, many say, is getting the C-suite to see it that way.

Many organizations see compliance as an obligation, says Scott Crawford, managing research director of security and risk management at Enterprise Management Associates, a Boulder, Colo.-based firm that provides research, analysis and consulting services to IT professionals. “Regulators tend to see it largely as establishing the floor rather than a ceiling, since so many organizations tend to minimize their efforts, either out of ignorance or because they see security as burdensome or too costly without providing sufficient benefits in return.”

The downside of compliance initiatives is that achieving a minimum may not result in any real change in the security posture, says Crawford. That is, motivated attackers may find weaknesses, regardless. Worse yet, he says, is the situation where compliance requires organizations to adhere to requirements that malicious parties have already rendered effectively obsolete, since requirements may be defined more slowly than the threat landscape evolves.

What's vital, he says, is motivating organizations to invest time and dollars on security as part of their rationale for compliance initiatives. “However, if compliance forces them to spend on specific issues, it limits what they can spend in other areas where it might actually make a difference – if they are motivated to spend at all,” he says. 

Brian Berger, executive vice president at Wave Systems, a Lee, Mass.-based firm that helps organizations manage computer security, says how much to focus on compliance depends on the organization. The real discussion on cost occurs when an organization is breached and/or a loss occurs, and compliance requires notification and payouts for the violation. 

“Security is not stagnant in its design or capabilities,” says Berger. “It needs to grow with an organization, or as requirements change based on the environment. This sets the building blocks in place for organizations to meet long-term compliance needs versus a short-term stop gap.”

This can be accomplished through effective risk management. According to a recent global survey by Gartner of 175 board members, where participants were asked about their investment plans for fiscal year 2012, few anticipated a decrease in spending related to risk management (4 percent), corporate governance (10 percent) or legal and compliance (8 percent), while a large number (60 percent) responded that risk management spending will actually increase, says John Wheeler, risk and security management research director at Gartner.

Page 1 of 3
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Game theory: Cyber preparedness

Game theory: Cyber preparedness

Business leaders are beginning to fathom the importance of cyber war game simulation exercises, reports James Hale.

Forward progress: How the Denver Broncos really play defense

Forward progress: How the Denver Broncos really play ...

Off the field, demand for bandwidth and protection from network threats set the ball in motion for the Denver Broncos. Greg Masters reports.

Smart defense: A talk with industry veteran Gene Fredriksen

Smart defense: A talk with industry veteran Gene ...

Today's CISO must stay ahead of attackers, says Gene Fredriksen, CISO at PSCU. Teri Robinson talks one on one with the industry veteran.