Security is not compliance, and compliance is not security. I know that doesn't come as much of a surprise, but it is an important statement to parse.
The critical part of my job is to build a security program that is effective, efficient and agile. This program must also be mindful of the myriad compliance regimes from multiple regulators and industry groups. Unfortunately, by their very nature, regulations are not dynamic or agile, yet the security environment is chaotic, dramatically different every day.
Security compliance today consumes the majority of all my resources in an endless cycle of new requirements, audits, testing, retesting, reporting and remediating. Unfortunately, all of this effort has a marginal positive impact on the security posture of a financial services company where security has long been a priority. And, each day we spend good money chasing yet another compliance requirement, which for the most part is obsolete by the time it lands on my desk.
On the real security side, we have built a highly tuned risk management environment in which we are minimizing threats, and assessing, detecting, deflecting and blocking attacks. We have built a resilient security environment, dependent on multiple layers of defense and response, integrated to reduce our risk, enabling our business to innovate and grow in a safe manner while protecting our customers, employees and shareholders. It is a resource-intensive endeavor.
The compliance drain on resources compels a critical re-examination of processes and systems. To be successful, we must employ innovative approaches to meet the growing compliance challenges. This has led us to a major set of initiatives designed to minimize our compliance resource commitments. We have deployed a governance, risk and compliance (GRC) platform and have harmonized all of the compliance regime controls, reducing their numbers by approximately 80 percent. We have adopted a “test once, use many” approach to control testing so that we are not repeating tests, and we have developed a quantified risk assessment methodology to rationally reduce key controls and the overall testing requirements. We are working with our audit and compliance teams to leverage these systems, and to help us find new ways to reduce our compliance workloads.
But the journey has just begun. We are working to develop automated reporting and feeds to our GRC platform with our other security tools, such as identity management, scanning and log management.
Because when all is said, we must devote our resources to the core mission of security or risk significant lapses in security for the sake of compliance – not a good outcome.
In a previous column, Archer said that to ensure innovation in cybersecurity policies, communications to key stakeholders must be concise, transparent and influential at all levels.
Archer says that a top priority at his firm is to continually assess the company's security risk posture and to follow that up accordingly with adjustments to the existing defenses.
Work with partners
Another component to Archer's strategy is to “better partner with our regulators to develop effective regulation that aids, not detracts, from security, and is more responsive and agile.”
Simple to operate
His ultimate vision, Archer says, is to enable a sort of “Jerry Big Red Easy Button,” which will deliver push-button compliance to the enterprise operations at a minimal cost.