SC Congress Chicago: Build a program that supports compliance
Experts at SC Congress Chicago on Thursday were set to share advice for following industry guidelines without getting buried in the details of compliance tasks.
Rick Doten, CISO at technology solutions firm Digital Management (DMI), told SCMagazine.com before the event that the first priority for organizations should be understanding their risk profile.
That involves deciphering what company data and systems are of value, where it is located and how long it is valuable, Doten said. About 70 percent of DMI's business comes from the Department of Defense (DoD) or intelligence agencies, as the firm is primarily a federal contractor.
Doten said that one misstep often taken by public sector organizations is seeing regulations as an end-means to security checks and balances.
“Unfortunately, in the federal government, particularly in the civil agencies, security is viewed as a compliance factor only,” Doten said. “They use that as their ceiling.”
While agencies, like DoD, have higher requirements for managing security processes than other public sector organizations, all too often there is still a “check box security” mentality, according to Doten.
“They focus on [threats] that are ubiquitous, rather than testing things in different environments,” he said.
Doten added that assessment of organizational risks, and determining IT infrastructure that will address those needs, sets the stage for a strong security program.
Ken Rowe, director of enterprise systems assurance at the University of Illinois in Champaign, told SCMagazine.com that his school deals with a plethora of security guidelines, from Payment Card Industry (PCI) standards to the Family Educational Rights and Privacy Act (FERPA), federal requirements addressing student privacy and state privacy laws on protecting data.
The enterprise services team at the university supports more than 100,000 online users, including student and staff. According to Rowe, a good place to begin when vetting security standards is with user access controls, which "revolve around provisioning of user access – or who you give computer system access to,” he said.
John Johnson, global security program manager for John Deere, told SCMagazine.com that industries with fewer security regulations, like manufacturing, don't necessarily need more federal- or state-level oversight to protect their businesses or clients.
“Being compliant is a good thing, but mindlessly being compliant isn't adding any value,” Johnson said. “I certainly wouldn't suggest that we need more regulations in our industry. Spending more time checking off boxes isn't that valuable.”
Instead, organizations should determine what a mature security program looks like for them, and how it can be most efficiently implemented.
“Until you have a culture of security at your company, it will be a slow [process] to implement good security measures and have support from your management,” Johnson said.