Compliance and Security: The Changing Environment, Part 1

In this first part of a three-part series, we look at how compliance continues to change IT security and response to risk

Simply defined, compliance is the process of ensuring that personnel are aware of and comply with relevant laws and regulations. For the IT team, this is specialized corporate GRC: governance, risk, and compliance. As regulations mushroom and mature, IT security and compliance must achieve a Zen-like balance with emerging common major trends.

Every Fortune 500 company, major institution, and government agency faces multiple regulatory mandates. Over 8,500 state and federal regulations concerning records management are estimated to be in effect in the United States. Multinational corporations face even more regulations. The financial industry is the most heavily regulated, followed by health care.

Although SOX applies only to public companies, government and institutions face FISMA or other internal standards. Most vendors doing government work fall under FIPS. Frameworks such as COBIT, standards such as ISO 17799, and various NIST publications provide compliance guidelines for all groups. Even companies not heavily regulated are being pressured by board members and stockholders to ensure that proper controls and compliance measures are in place.

The changes for coping with multiple regulations evoke different strategies in corporations. Some employ a monolithic compliance department. Although it has a central department, brokerage firm Charles Schwab, for example, devotes an in-depth team to each of the twelve major compliance regulations affecting the company.

Khalid Kark, principal analyst at Forrester, notes that the major regulatory compliance effort started with SOX but then widened. The tools for and approach to compliance have evolved with the regulatory pile-on. Kark states, "A few years ago when I talked with the people responsible for compliance and security, the focus was to get compliant with that one regulation by whatever internal deadline. Then the next regulation would come and they would have to start over from scratch. It wasn't an efficient way of doing things.

"The focus has moved from individual one-off efforts. The thinking has matured into a broader, coherent view and [to] creating a control framework using a single process and single set of tools that can be tweaked to comply with each of multiple regulations.

"When I talk with chief security officers today, their view is 'We need to look at the corporate risk and the boarder IT security risk in order to manage compliance and compliance is one aspect of it. We need to be looking at security risk as a whole and applying compliance to it.'"

A Shift in Personnel

Kark notes the shift between security and compliance personnel. "Obviously, the lines have blurred very significantly over the last couple of years. In the past, the firewalls, the AV, and so on, was the responsibility of the Chief Security Officer and the audit and compliance was headed by the Chief Compliance Officer. Today, the Chief Security Officer is primarily responsible for setting policies and controls that are in alignment with the regulations that you have to follow."

"Corporate compliance officers are looking at the letter of the law, as in 'we checked that box and that means we are compliant.' Information security officers should be looking at the intent, as in 'we checked that box but does that really make us secure?' That's how I would classify the differences."

Kark notes that CISOs are handing over the day-to-day responsibilities to IT operations. In turn, the CISOs main responsibility is for setting policy and monitoring adherence.

The person responsible for shouldering compliance responsibility is moving along the chain. As observed by CA's senior VP Kirk Willis, in the last five years, heavy-iron security administrators have shifted their duty mix to more than 50 percent toward compliance over security and enforcement.

Some facts for consideration by the CFO, and possibly the boardroom:

According to a July, 2007 report entitled Compliance Pays:Reputations and Revenues at Risk:

  • Two out of ten companies are compliance laggards. One in ten companies is a compliance leader.
  • Compliance laggards experience 17 or more disruptions a year from IT security events. Compliance leaders have only two or fewer disruptions annually from IT security.
  • Compliance laggards have 22 or more data losses or thefts of sensitive data per year. Once every three years or sooner, a compliance laggard will appear on the front page of major newspapers for such an event.
  • Compliance leaders have two or fewer such incidents and rarely appear on front pages for such breaches.

Although the historical data is still limited, the expected financial risk for a publicly-disclosed data loss or theft includes:

  • An eight percent decline in the market value of a share of stock for publicly traded firms
  • An eight percent loss of customers
  • A temporary decline in revenue of eight percent
  • Additional costs for litigation, notification, settlements, cleanup, restoration, and improvements average $100 per lost customer record

It's not just putting compliance into place. Kark voiced a remark common to many compliance experts about monthly or quarterly policy reviews. "Compliance is a process, not just a point in time."