Compliance obligations don’t ensure security, but companies can marry the two to reap rewards, reports Julie Sartain.

With the threat landscape expanding in every direction, it’s never been more necessary for companies to ensure that their proprietary data is protected from the growing army of saboteurs intent on stealing it. Complementary to these concerns, however, is the added requirement that companies get in line with state and federal regulations and industry mandates. While many regard compliance as a headache, others recognize that ensuring an enterprise is ready for regulators can also add to its security posture. The tough part, many say, is getting the C-suite to see it that way.

Many organizations see compliance as an obligation, says Scott Crawford, managing research director of security and risk management at Enterprise Management Associates, a Boulder, Colo.-based firm that provides research, analysis and consulting services to IT professionals. “Regulators tend to see it largely as establishing the floor rather than a ceiling, since so many organizations tend to minimize their efforts, either out of ignorance or because they see security as burdensome or too costly without providing sufficient benefits in return.”

The downside of compliance initiatives is that achieving a minimum may not result in any real change in the security posture, says Crawford. That is, motivated attackers may find weaknesses, regardless. Worse yet, he says, is the situation where compliance requires organizations to adhere to requirements that malicious parties have already rendered effectively obsolete, since requirements may be defined more slowly than the threat landscape evolves.

What’s vital, he says, is motivating organizations to invest time and dollars on security as part of their rationale for compliance initiatives. “However, if compliance forces them to spend on specific issues, it limits what they can spend in other areas where it might actually make a difference – if they are motivated to spend at all,” he says. 

Brian Berger, executive vice president at Wave Systems, a Lee, Mass.-based firm that helps organizations manage computer security, says how much to focus on compliance depends on the organization. The real discussion on cost occurs when an organization is breached and/or a loss occurs, and compliance requires notification and payouts for the violation. 

“Security is not stagnant in its design or capabilities,” says Berger. “It needs to grow with an organization, or as requirements change based on the environment. This sets the building blocks in place for organizations to meet long-term compliance needs versus a short-term stop gap.”

This can be accomplished through effective risk management. According to a recent global survey by Gartner of 175 board members, where participants were asked about their investment plans for fiscal year 2012, few anticipated a decrease in spending related to risk management (4 percent), corporate governance (10 percent) or legal and compliance (8 percent), while a large number (60 percent) responded that risk management spending will actually increase, says John Wheeler, risk and security management research director at Gartner.

Compliance + security 

Organizations need to refocus and make compliance the by-product of a comprehensive, effective and monitored security program, rather than the stated goal of such a program, says Andrew Rose, a principal analyst at Forrester. 

“It is vital that controls and metrics match the organizations’ risk profile and risk tolerance, rather than just seeking to tick the boxes that the compliance auditors check,” says Rose. “If there are aspects of the security program that leave elements of compliance unaddressed, then these become discussion points both internally and with the regulator.”

He adds that it’s also important for compliance to be measured effectively. Where an organization has to comply with several different regulatory frameworks, they should consolidate the requirements and move to a “measure once, report many” solution. In this way, Rose says, amalgamation of control monitoring helps firms maintain ongoing visibility of their compliance position and prioritize investment.

“A company’s security maturation may go through growth spurts, but you can’t expect to grow a foot in a day.”

– Christie Grabyan,  Stach & Liu

Funding risk mitigation 

The individuals who run companies fall into one of several groups: Those who realize the security risk and want to avoid it, those who believe it will not happen to them and do nothing, and those who know they have to do something, but are unsure what or how to do it, says Benjamin Gaddy, North American advisory board co-chair and information assurance security project manager at (ISC)², a Palm Harbor, Fla.-based nonprofit that offers information security education.

Gaddy says those companies that comprehend potential risk are the most willing to allocate the funding necessary to mitigate it. These decision-makers know from experience what a breach can cost a company if it does nothing, he says, so are willing to support efforts to prepare. Executives willing to get ahead of the curve, he says, ask, “How much security can I afford,” then apply funding to the best of their ability. Other companies have deeper pockets than others, but all recognize that it’s a vital business expense.

Gaddy’s second group include those companies that usually hire experts to identify what they need and how to navigate from point A to point B. Then it becomes a business decision regarding how to accomplish this task. “This is where a good business becomes critical,” says Gaddy. “It tells a company how to enter into the world of compliance and security. They see it as a good business investment and are willing to show their clients that they have one, and are building a better, more robust one for the future.”

In the third group are companies that don’t want to subtract from the bottom line. These firms, Gaddy says, believe that anything other than an anti-virus program is wasted funds. The C-suite doesn’t see the risk or believe the organization might be a potential target. “These companies are willing to place their clients’ standing at risk to save a few dollars,” he says. “Sometimes, companies with this mindset find themselves in deep trouble when problems occur, including loss of client information, personal data and other items that have a significant impact on the total business profile.”

Rob Ayoub, manager of technical marketing at Fortinet, a Sunnyvale, Calif.-based network security appliances vendor, agrees that compliance may be considered a pressing issue, but adds that improved security does eventually prevent loss. “I believe there has to be a focus on security as opposed to compliance,” he says. “The CISO, or another person responsible for security, has to establish realistic benchmarks and a progression for a risk management plan. There also has to be continued executive-level education around the changing threat landscape and detailed risk analysis to the business.”

It comes down to taking on everything in moderation, says Christie Grabyan, managing security associate at Phoenix-based security consultancy Stach & Liu. “A company’s security maturation may go through growth spurts, but you can’t expect to grow a foot in a day,” she says. “Even the appropriate risk threshold will change over time. Getting the money to achieve your security strategy is no different than obtaining money for any other business objective.”

In other words, she says, CISOs must address their executive sponsor’s pain points, communication style and needs in the way they propose. Then, ensure that the program makes financial sense, and build trust through effective execution.