The increasing burden of regulatory requirements is beginning to have a negative spillover effect on IT departments and their ability to manage IT security, according to some industry observers.
Increasing focus on meeting regulatory compliance may be taking away resources from dealing with live security threats, and therefore leading to increased security risk, according to a recently released study by London-based Dr. Jonathan Liebenau, a professor with the Department of Information Systems at the London School of Economics.
Commissioned by McAfee, the report, International Perspectives on Information Security Practices, showed how IT security practices and preferences of CIOs continue to change as compliance pressures interact with changing technical challenges in the enterprise. Liebenau interviewed CIOs in the financial services industry in the U.S., Asia and Europe.
The study cited a security manager from a Scandinavian bank who commented, “It costs a lot of money to work towards compliance, and sometimes this takes resources away from dealing with real risks.”
Bruce Schneier, an IT security specialist and author of numerous books on security, said that when it comes to compliance, companies tend to “do the right thing for the wrong reason.”
“The whole point of compliance is that people do the right thing for the wrong reason. You don’t do the right thing because you should; you do it because you don’t want to get in trouble,” said Schneier, who is also the founder and chief technology officer for managed security services firm BT Counterpane in Silicon Valley.
While Schneier did not agree that implementing compliance measures puts companies at risk, he acknowledged that as companies deal with more compliance issues, they tend to spend less on security.
But is being compliant synonymous with being secure? Schneier said, “It might, or it might not.” It all depends, he added, on what the company is complying to.
Another security expert agreed that achieving compliance may or may not be synonymous with IT security. But being compliant does make at least one aspect of an organization more secure, said Tom Welch, president and CEO of security consulting firm Bullzi Security in Lake Mary, Fla. He admits, though, that many of his clients have compliance as their top priority.
“Many decisions have been made by management that will look at the whole (business) picture and say, ‘Help me achieve my level of compliance first.’ And if they do that, at least one area of their company is achieving a high level of security at the same time.
Welch also noted that many companies do get overwhelmed with satisfying regulations. By doing this, it’s easy to get blindsided and lose sight of the overall security posture, he added “Many times, security is a bigger picture than compliance.” Welch explained. “Compliance is very, very focused, whereas security is more global for an organization.”
Juggling between compliance and security is especially challenging for global organizations that have to deal with multiple regulations within the jurisdictions in which they operate. But while it’s a lengthy process, it is possible to ultimately achieve the level of compliance an organization requires, while ensuring that IT security is given the attention that it deserves.
The first step is in knowing the value of your business and what it’s most important assets are.
Although compliance can be overwhelming, Welch recommends that companies take a holistic approach, where both compliance and security requirements are addressed, starting with the most valuable business assets.
For one Toronto organization, it’s all about having a comprehensive security plan and building compliance into it.
As the agency mandated by the Ontario government to provide tools and services to facilitate secure electronic communications among healthcare providers, Smart Systems for Health Agency (SSHA) is faced with numerous regulatory requirements. Also, because huge amounts of confidential health records pass through its network each day, the security requirements for SSHA are especially stringent.
“I think the reason a lot of organizations are in that mode where they think the compliance issues are causing a lot of internal pain could be the fact that their own security or privacy programs are not comprehensive and cohesive enough,” said Bobby Singh, director of security at SSHA.
Driven by the need to provide its services in a highly secure fashion, SSHA has taken a comprehensive and unified approach to privacy, security and compliance from the very beginning.
“If you have a really good program in place, being in compliance to regulations is not a huge exercise. It becomes such a huge exercise if you treat compliance as a separate exercise or a separate initiative and you don’t blend that into your (comprehensive) program,” said Singh.