Considering the complexity and scope of today’s regulatory environment, compliance has become a key corporate initiative that cannot be ignored. Coupled with the rise in security threats, organisations are now searching for a more effective, sustainable, and scalable approach to achieve their compliance objectives while improving the overall security of the organisation.
NETCB CEO Cobus Burgers says the challenge of building an effective compliance program is more daunting than ever before. “Especially one that helps meet one’s compliance, security, and business objectives simultaneously. The task of complying with scores of overlapping regulatory and industry mandates, often with the same set of IT resources, is time-consuming and complex.”
Too often, overwhelmed security teams revert to an “accredit and forget it” mind-set, allowing a minimal set of audit criteria to drive their security priorities, rather than focusing on managing risk in alignment with the risk tolerance and business objectives of the organisation.
In addition to the pressures of meeting multiple mandates and ensuring that the security budget is effectively utilised, organisations today are faced with a rapidly evolving threat landscape.
As new business models such as outsourcing and cloud computing make the network perimeter more fluid and financially or politically motivated, organisations must rapidly develop security program maturity to avoid a breach.
Organisations must be able to effectively develop, implement and monitor appropriate security controls for their critical information and infrastructure, wherever it may be. They must recognise that the “insiders” who have access to this critical information may not be who they seem, and as a result, all activity must be monitored and no one can be completely trusted.
Burgers says in this complex and challenging environment, the single best way to achieve compliance is to get the security basics right. “First, implement and manage to a harmonised set of controls that meet one’s evolving regulatory and corporate mandates. As one implements these security controls, make certain that the solutions provide the level of automation required by the organisation.”
The automation of routine, labour-intensive tasks is critical to reducing the cost of compliance and avoiding “audit panic” because it ensures a repeatable process and strict adherence to policy. Only an integrated, automated approach to compliance rooted in sound security principles is effective, sustainable, and scalable – enabling executives to achieve their compliance objectives and improve the overall security posture of their organisation.
“In today’s complex regulatory environment, many organisations struggle to integrate regulatory compliance programs with day-to-day security operations. This can lead to audit findings and data breaches that result in costly mitigation, or even fines and penalties,” he explains.
As compliance programs place ever-greater demands on IT resources, businesses are left urgently searching for a more effective, sustainable, and scalable approach that will achieve compliance objectives while improving the overall security posture of the organisation.
Furthermore, security budgets continue to be driven by compliance. The mandatory nature of regulatory compliance, combined with specific and quantifiable penalties for non-compliance, has directed a large portion of overall security spending toward compliance efforts.
“It is hard to argue with this objective, because the goal of compliance spending is to protect corporate profitability and avoid increased costs from non-compliance and possible brand damage,” he adds.
“However, when security projects are focused solely on meeting a minimal set of audit criteria rather than minimising risk, much of the potential benefit of this funding is wasted.”
The challenge for security teams is to ensure that security expenditures are directed toward a comprehensive risk mitigation program aligned to the risk tolerance and business objectives of the organisation.
The increased number of compliance mandates is driven in no small part by a growing public awareness of corporate malpractice and the risks of data theft. Regulatory and industry bodies have responded to public concern by mandating breach notification and imposing increasingly broad controls with more stringent penalties for non-compliance.
Furthermore, as organisations seek to enforce compliance standards across their businesses, they may impose additional or even contradictory goals on administrators and compliance officers in the process.
“Many of today’s organisations are struggling to implement a sustainable compliance program that can address the full set of compliance mandates and adapt quickly as mandates evolve or new mandates are created,” he says.
External threats have evolved from individual hackers to sophisticated, organised groups motivated by financial and political gain. These attacks are often backed by the funding of international corporations, organised crime, and even governments. With this level of support, it is not surprising that security breaches are enabled by increasingly sophisticated technology and often assisted by someone on the inside.
Burgers says the insiders are bribed, coerced or even recruited specifically to join the organisation to steal sensitive information. “With this in mind, do you know if your team is prepared to defend against these sophisticated attacks, and do you know who in the organisation you can trust?”
IT security has not kept pace with evolving technology and business models. More importantly, staffing has become one of the largest expenses on the IT budget. In an effort to slow this growth and control costs, there has been constant pressure to outsource where possible, especially where specialised skill sets are required. In fact, it has been several years since the average organisation was staffed exclusively by true employees.
As a result, most organisations have policies and controls in place to support temporary staff, onsite partners, and even visitors. In the effort to control costs, what many organisations have failed to consider is that outsourcing tasks does not transfer responsibility. If the outsourcing partner fails to adhere to control objectives, the liability is still held by the organisation.