What Can You Do To Keep Ahead of Changing Compliance Regulations?

So much has already been written on this subject. Search for "compliance does not equal security" and you'll see what I mean. Compliance standards and requirements are always evolving. We all know that. Some regulatory requirements are more mature than others, but the common thread is that they are always changing as new ones are emerging.

Throughout the year, and especially at audit time, security and IT operations staff have to jump through hoops to make sure they are collecting evidence, performing to established procedures, on top of their day to day firefighting and project work. All in the name of "Compliance" routines. For what? To pass an audit? In the rush to get this evidence collected and abide by the "documented procedures", what is getting missed or isn't getting done? What is the cost to your operations and hence, your bottom line? What is the cost to your overall security posture?

So how can you keep ahead of the changing compliance landscape, avoid all of this running around to meet "compliance", operate in a cost effective manner, and still manage adequate and effective information security controls?

Here are some thoughts:

Build a security program whose output is compliance.

This is a fundamental and is essential. If you develop a strong security program from the top down, you can easily map compliance requirements to that security framework. This includes the "tone at the top" management commitment to an information security program. Clear directives in the form of information security policies establish the security direction for everyone in the organization. Establishing these mandates within an organization will get everyone headed in the right direction, and get them out of the "run around, the auditor's here" mindset. It just becomes part of the way you do business.

Develop your security program around a control framework suitable for your organization.

There are several choices here, and you don't have to reinvent the wheel. NIST SP800-30, ITIL, COBIT, and other IT control frameworks can all be customized to fit your specific needs, industry, and security program maturity. Don't be afraid of adjusting them to be user-friendly in your environment. Creating a solid way of tracking your security controls will pay off big dividends in the long run. Without an adequate way of tracking your security (and IT) controls, you really don't have the clarity of what controls you have in place, and perhaps more importantly, why you have them in the first place.

Map security controls within your control framework to (fill in the blank here) compliance requirements.

This is the biggie. By tying in your security control activities to compliance requirements, you should be able to effectively address any compliance requirement that comes up. And when those change, or new ones are added, guess what? All you have to do is update your framework. Sure, there may be adjustments to policies, procedures, etc, but those are manageable. If you already have a control in place that wasn't previously covered by the compliance requirement, great! You've already been doing that control activity, so just update the framework to include the new compliance mappings.

If you don't know where you are going, any road will get you there.

Get help. Seriously, if you don't know where you are, where you are going, or how to get there, get help. Critical Assets, for example, can help you with all of the above and much more. Our security professionals have years of experience in a wide variety of vertical markets and industries. We can help.

Three Approaches to IT Security: The Hard Way, An Easy Way, and The Wrong Way

The hard way to do organizational security: DIY Security, also known as in-house security, IT-security department, "the IT/security guy", etc.

Why is DIY security typically a bad idea? Many organizations don't have a top-ranking executive in charge of IT or cyber security, or that executive is under-informed about cyber security risks. A 2012 Carnegie Mellon survey of the Forbes Global 2000 list found that fewer than 1/3 of the companies surveyed are "undertaking basic responsibilities for cyber governance" at the board and senior executive level.[1]

Because executives don't always take charge of the really tricky subject of cyber/ IT security, security accountability within an organization may be murky. Designated security enforcers can face resistance, backlash, and noncompliance from higher-ups, with no one to stand in their corner when security v.s. convenience debates start to heat up.

Security Vs. Convenience: CONVENIENCE WINS!!

Lack of cyber-security accountability can lead to the "security guy" getting peer pressured into recommending convenient security solutions that band-aid risks but don't result in better organizational security against threats such as insider threats, BYOD hijacking, organizational mobile device hacking, and client-side vulnerabilities.[2]

DIY security can work if your organization can do the following:

1. Hire a seasoned cyber security expert.
2. Communicate regularly with the organization about IT security challenges and countermeasures.
3. Keep ahead of all cyber risks and threats.

If you have a proprietary software product or important company structure or product details that you don't want to share with outside software experts, it may be worth the hassle to create a cyber IT security department with a clean chain of accountability and command, clear communication and compliance enforcement, and a diverse, well-informed security team.

All of the above is not impossible -- it's just hard.

The easy way to do cyber security: Hire professionals.

Why is professional management of cyber and IT security the easy alternative? Even if outside security consultants are expensive, hiring a dedicated firm to safeguard your cyber/IT concerns can work in an organization's favor.

Outside professionals are *fast*. Their business is to know the threats, the risks, and when those risks become a reality. Compromise can result in same-day loss of assets, and their reputation depends on rapid response.

Thanks to the power of the cyber security "assembly line" known as the security update, your security consultants will roll out security updates to your site along with any site they manage that requires protection or updates in response to actual attacks. This means you can get protection even before attacks against your assets occur. In-house security gurus may have to wait for an attack to occur before they are able to spot and fix a vulnerability.

Cyber security firms are vigilant. They look for exploits on a day to day basis, and when they find one, they roll out the fix to you ASAP. While your in-house guru might take a two-week vacation and leave you exposed to attack during that time, your security consultant team has you covered, round-the-clock, 365 days per year.


* Outside professionals are diverse and can respond to a wide array of threats. Typically, a single cyber-IT security expert will have a specialties, such as a content management system that he/she is particularly a whiz at securing. If you have only one security professional on your IT team, you may get a one-dimensional security solution that creates the illusion of security on one attack surface and neglects many unknown but vulnerable attack surfaces. An outside security consultant firm will employ many experts with diverse security skills, giving you much broader protection against short-and-medium-term threats.

Hiring an outside security team can come with just about any price tag, depending on your cyber security requirements, but if you find the right agency that you trust, it can be an easy response to dynamic, unpredictable cyber security threats to your organization and its assets.

Q: What's the wrong way to do organizational security?
A: Do nothing. Roll the dice.

Like paying taxes and setting up payroll, securing any data or systems run by your organizations is a requirement. Small Web operations might ignore security concerns and opt to just use IT products out-of-the-box. These operations are putting their users and owners at risk of data and identity theft. Attacks may occur and result in dramatic, embarrassing loss of data, or they may silently occur and become a slow but steady source of identity-theft material or fraud-fodder for a diligent attacker. Operating an unsecured, unmonitored organization or Web site is like leaving your car running, with the keys in it, while you do your errands. You might get away with it for a while, but eventually someone will be tempted enough to get in and drive away with your car and your valuables.

Organizational cyber security is an emerging discipline. Like locking up a retail store at night, cyber assets need to be locked and monitored as well. The process can be a lot more complicated than setting an alarm, closing a door, and turning the deadbolt key -- but if you choose the right professionals to manage your organization's security interests for you, it doesn't have to be hard.

[1] http://www.emc.com/about/news/press/2012/20120227-02.htm

[2] http://blog.sfgate.com/techchron/2009/09/15/organizations-fail-to-address-top-cyber-vulnerabilities-report-says/