There’s no question about it, no matter the differences between line-of-business executives, CIOs and security practitioners, the one thing they all have in common these days is a shared dread of a ten-letter word: compliance.
As regulations of technology practices have mounted over the years, most companies have struggled simply to keep ahead of the latest requirements while still managing the risks most important to them. Even though each new regulation hasn’t necessarily added revolutionary security requirements—there is certainly overlap between them—many businesses operate in a suspended state of compliance chaos because they have no way to tie the entire risk and compliance picture together.
The cold, hard truth is that many organizations are running a disjointed, ad hoc campaign to comply with regulations. Over the years they’ve tended to buy up single point solutions to address individual areas of compliance and produce evidence. With each new regulation comes a new product and no real change in processes to tie previous compliance efforts with the latest push. Further complicating the issue is the fact that this chaos might even be repeated within individual business silos. Not only is this a resource drain, but it may also fail to address the very issues of risk that the regulations were created to address in the first place.
The root of this chaos problem is that companies are taking compliance from a bottom-up perspective. All too often the organization starts seeking information from disparate business silos and pulling reports from different pieces of technology, and they start trying to use those components like pieces of a puzzle. They try to ft all of the puzzle pieces together to create their overall picture of risk and compliance.
But think about it for a second: when you do a jigsaw puzzle, you turn the cover of the box over so that you know what it is that you are trying to build. It helps you figure out where the pieces go. But most businesses don’t have that today. They have no idea about what that entire end picture is supposed to look like.
In order to truly move beyond the chaos, organizations need to flip their paradigm around and start moving to a top-down approach. There needs to be a way to envision what the total picture should look like, including not just compliance mandates, but also risk mitigation requirements based on the individual organization’s risk tolerance.
This top-down approach will better provide that picture on the puzzle box, offering a view of all of the controls needed for both compliance and risk management. That picture will better inform not just what technical reports to pull and assemble, but also how to fill in those often-hidden gaps from a lack of control over management of people and processes.
This flip-flopped approach also gives better visibility into the scope of compliance mandates and into how they overlap with one another. By starting from the top, organizations can better ensure they are not duplicating efforts. So many times I see organizations collect and analyze the same information repeatedly in order to comply with different regulations.
This suggestion may sound a little simplistic, but that is because it is simple in principle. Compliance and risk management best practices are not rocket science. They just require us to take a deep breath and plan our strategies in advance, rather than taking everything from the hip.
Reading between the lines here, some of the chaos you have listed are really just symptoms of a few bigger problems.
Governance – or lack there of.
From an enterprise IT perspective, Information security (IS) needs to have a seat at the IT leadership table. In absence of that, there really is no effective top down approach.
Within the information security groups there also needs to be governance and effective leadership. Having that shared visibility across the info sec groups supporting different business units allows for a more strategic approach to risk management but also to operational aspects of running an information security organization.
Last point – compliance does not equate to secure. Nor does just relying upon “best practices”. I bet if you ask the business / IT leaders of some companies that have suffered data breaches – that were found to be compliant with – insert standard / reg here – if this stuff is simple – they will say no. The underlying principles may be simple but the execution of the plan built upon it can be a long and challenging road.