Risky business: Marriage of compliance & security
Risky business: Marriage of compliance & security

Compliance obligations don't ensure security, but companies can marry the two to reap rewards, reports Julie Sartain.

With the threat landscape expanding in every direction, it's never been more necessary for companies to ensure that their proprietary data is protected from the growing army of saboteurs intent on stealing it. Complementary to these concerns, however, is the added requirement that companies get in line with state and federal regulations and industry mandates. While many regard compliance as a headache, others recognize that ensuring an enterprise is ready for regulators can also add to its security posture. The tough part, many say, is getting the C-suite to see it that way.

Many organizations see compliance as an obligation, says Scott Crawford, managing research director of security and risk management at Enterprise Management Associates, a Boulder, Colo.-based firm that provides research, analysis and consulting services to IT professionals. “Regulators tend to see it largely as establishing the floor rather than a ceiling, since so many organizations tend to minimize their efforts, either out of ignorance or because they see security as burdensome or too costly without providing sufficient benefits in return.”

The downside of compliance initiatives is that achieving a minimum may not result in any real change in the security posture, says Crawford. That is, motivated attackers may find weaknesses, regardless. Worse yet, he says, is the situation where compliance requires organizations to adhere to requirements that malicious parties have already rendered effectively obsolete, since requirements may be defined more slowly than the threat landscape evolves.

What's vital, he says, is motivating organizations to invest time and dollars on security as part of their rationale for compliance initiatives. “However, if compliance forces them to spend on specific issues, it limits what they can spend in other areas where it might actually make a difference – if they are motivated to spend at all,” he says. 

Brian Berger, executive vice president at Wave Systems, a Lee, Mass.-based firm that helps organizations manage computer security, says how much to focus on compliance depends on the organization. The real discussion on cost occurs when an organization is breached and/or a loss occurs, and compliance requires notification and payouts for the violation. 

“Security is not stagnant in its design or capabilities,” says Berger. “It needs to grow with an organization, or as requirements change based on the environment. This sets the building blocks in place for organizations to meet long-term compliance needs versus a short-term stop gap.”

This can be accomplished through effective risk management. According to a recent global survey by Gartner of 175 board members, where participants were asked about their investment plans for fiscal year 2012, few anticipated a decrease in spending related to risk management (4 percent), corporate governance (10 percent) or legal and compliance (8 percent), while a large number (60 percent) responded that risk management spending will actually increase, says John Wheeler, risk and security management research director at Gartner.