Much has been written about compliance. Best practices. New regulations. Technology cure-alls. Nevertheless, regulatory compliance remains a critical and strategic business need for most companies. If you process payments online; if you store sensitive customer data; if you transit financial or health information; you are bound by the mandates of an alphabet soup of state, federal and industrial regulatory agencies. Compliance is a reality of everyday business life, but often times becomes a burdensome cost center.
Over the past several months I have had the opportunity to meet with and speak to several IT pros, compliance officers, security specialists, CIOs and other interested execs. The issues they collectively present are often repeated across industry lines, market sizes and enterprise hierarchy types.
In fact I address several of these issues in a speech I gave last month at the 2013 Credit Union InfoSec Conference: Last week I offered an 8-minute excerpt of the speech. In case you missed it, here’s the link
Compliance, they say, is a burden. A necessary evil. They all understand that the ability to promote their services within a safe and secure online environment not just a key to growth, but a chief element in building a continuous and trusting relationship with clients and customers. BUT it requires a significant investment in money, time and other resources.
Compliance, they say, is complicated. A director of info tech at a Southern California financial institution told me his team is beholden to 7 different agencies a month. They require much of the same detail, but require it in different and various formats and presentations. He further told me that it requires well more than 50 hours a week just to keep up with the collection, review, reporting, and adjustments based on feedback. And it’s not always a winnable battle.. Above and beyond that are the new wrinkles presented by clients, partners, customers, and vendors in terms of how they choose to interact with data. This brings up issues with BYOD, securing SaaS and web applications and proper provisioning of multiple pockets of data spread across multiple servers. and More time. More resources.
Compliance, they say, is often addressed with minimal resources. It’s not that any of these companies are actively operating outside the rules of compliance, but because of the expense, the complexity and the headcount, they apply the minimum necessary to pass regulatory inspections. Compliance, is a cost center, and if it can be done by putting a sensor on a device and reviewing logs every so often, then it is one less crisis in a hat full of fire.
Compliance, they say, requires the monitoring of multiple silos. The portions requiring sys log monitoring require one set of eyes. The portions requiring real time intrusion detection, another. And still another that requires the proper maintenance of user accounts and application access permissions.
The issues are clear. Compliance is more than log management. It is more than SIEM; more than identity and access management. The layers of security necessary to address the myriad of audits, reports and processes are typically expensive. The expense is not limited to the technology applications and solutions, but to personnel, consulting, expertise retention, and resources. These requirements tax operational resources, reduce the ability to focus on core competencies or force reassessment on IT asset prioritization.
It is in this spirit that I present a white paper that identifies some of the common themes and threads required by compliance agencies (FFIEC, HIPAA, PCI, SOX, FISMA, NIST, etc…). By my count there are more than 300 compliance agencies worldwide, but there are only about 10-20 security specifics that each requires to pass audits. More than identifying theses common threads, the document shares how to apply best practices using cloud security solutions to not only cut costs, time to market, but to remove the silos and centralize security as a single source for monitoring, automating and reporting.
And, of course, through unified centralization (via security-as-a-service), you establish the ability to leverage the capabilities of each element. Instead of four or five solutions each requiring four or five reports, logins and the physical coordination for reporting, compliance is achieved by a collaborative, and integrated model. And it is affordable, scalable and manageable because of the benefits afforded by the cloud.
I personally invite you to download my white paper As compliance is typically an compulsory bureaucratic construct, being compliant doesn’t necessarily make your network and other IP assets secure. However, being secure, does make one compliant.
This white paper is a strong road map to reducing the burden and creating better visibility across an enterprise.