Patrick J Conte, CEO, Agiliance

The need to map security to the business has been an ongoing topic of conversation for quite some time.  While that might mean different things to different people, the common denominator is that it requires a change in how IT and security professionals think about and approach security.

Regulatory compliance has been a great enabler in forcing this sea change.  SOX tied executive-level accountability to IT and compliance spending tied “gaps” in the IT infrastructure to a dollar amount.  The need to prioritize what gaps to fix first helped to crystallize the discipline of risk management.  According to Forrester, when you combine effective risk and compliance management, what you get is good corporate governance.

While the Governance, Risk and Compliance (GRC) market is extremely broad and still being broken down into more manageable components by analysts (and everyone else), one could argue that it inherently links security to the business, and in doing so, is helping to shepherd the industry along.

A recent survey from The Deloitte Center for Banking Solutions tracked what 20 of the top 50 banks spent on compliance from 2002 to 2006.  No big surprise, spending increased each year, rising from 2.83 percent of total net income in 2002 to 3.69 percent in 2006, a jump of almost a third in just 4 years.  That translates to about $83.5 million per bank spent on all aspects of compliance, with $14 million of that spent on IT.

The survey also said that one of the main reasons compliance costs are on the rise is because they are overspending on people (more than 60% of their budgets) and under spending on scalable technology.  In other words, it’s time to automate IT compliance processes.  It’s a good crossroads to be at because it shows we know what’s broken.

We also have some lessons learned.  SOX was reviled for being too vague, which is one thing you can’t say about PCI (although it might be reviled for other reasons.)   Plus, after five years of SOX and its regulatory and private sector brethren, compliance, security and risk — while far from fused — are no longer mutually exclusive.   As a result, CSO’s can justify security investments based on business ramifications and operational efficiencies instead of FUD.

While as an industry, we’re still at the beginning of the learning curve, the Deloitte report and plenty others like it will continue to help us understand what doesn’t work.  Moving forward, one way to further align security to the business will be to not only continue to innovate and automate IT compliance management, but to increase the ability to appropriately articulate the benefits that delivers across the organization.