Risk // Compliance
6/4/2012
10:24 PM
Connect Directly
RSS
E-Mail
50%
50%

5 Ways You're Wasting Compliance Dollars

Fighting redundancy and ineffectual practices leaves more money for meaningful security

Sure, the cost of compliance has been driven higher and higher by increased regulatory burdens over the years. But that's not all to the story. Many organizations spend more because they're wasting compliance dollars on piecemeal compliance programs, ineffective products, and expensive consultants when things go wrong.

"Businesses spend a lot of money on compliance and risk management. Effective compliance is a critical component of modern business, and the oversight environment is getting increasingly more complicated every day," says Geoff Harkness, managing director at MorganFranklin. "Rather than increasing compliance spend in direct relation to increasing oversight, businesses must figure out ways to make more effective use of future budgets."

[Sloppy firewall rules are costing organizations audits. See Poorly Managed Firewall Rule Sets Will Flag An Audit.]

Here's where Harkness and fellow security experts believe businesses should look to find the money they're wasting on compliance and audits:

1. Do Everything Manually
Doing something by hand may make sense in the kitchen or the workshop, but not in the data center. Today, IT departments waste time, money, and good marks with the auditors when they do their compliance audit and remediation work manually.

"Unnecessary waste occurs with companies who are using manual processes to conduct IT audits for all aspects of the audit," says Jason Creech, director of policy compliance for Qualys.

Tufin's chief security architect, Michael Hamelin, agrees. Manual processes not only take a lot of manpower to pull off, they also end up jeopardizing the state of compliance. It's the very definition of waste -- spending lots of money on a process that comes to nothing anyway. He says he has seen numerous customer prospects spend days on manual firewall audits for PCI only to see them knocked out of compliance with the next weekly firewall change window.

"Automation can play a huge part in aligning security and compliance goals by providing analytics and reporting that allows organizations to sync their efforts," Hamelin says. "When you can leverage automation to be preventative, over time it results in a more proactive and strategic approach to both security and compliance management, and instead of wasting money you create economies of scale."

2. Keep Your Left Hand Unaware Of The Right
If your left hand doesn't know what the right hand is doing, then compliance spend will be for naught. Communication is critical, particularly between IT operations and policy development employees.

"Any compliance drill that is executed as a check-the-box exercise is at minimally inefficient or partially wasteful," says David Wilson, director of cybersecurity strategy for Telos. "This is particularly true when the policy compliance folks are segmented from the operations folks. To achieve real benefit, compliance and operations efforts should be intertwined."

Without that work to intertwine them, mishaps are bound to occur. As an example, Creech told the story of one company he worked with that came to him complaining of auditors flagging the company on poor change-control documentation.

"It was discovered that a poor system image management process used in remediation was having an impact on the IT audit. In their organization, remediators corrected system issues by reloading images from a jump drive," he says. "'Remediator A' would fix the reported problem by loading an image, but if another issue was reported, another remediator may show up with his jump drive to fix the second reported issue, basically undoing remediators A's work."

By the time the annual audit took place, the change-control documentation did not represent the actual environment. "Nowhere close," he says.

3. Deploy For Features Instead Of Security Benefits
The sad truth about most compliance projects is that the typical goal is to create movie-set risk management: good enough for the cameras, but unable to stand scrutiny when you get up close to it. That means many products organizations buy are essentially throwaway items bought solely for their marketing feature list, no matter whether the claims are true

According to Phil Lieberman, CEO of Lieberman Software, organizations usually have the choice between two types of compliance solution.

"The first will not scale or work, but is provided by an appliance. The second requires integration into line-of-business infrastructure to close the holes," Lieberman says. "When approached with the two, the first solution is chosen because [they believe] a failure of a solution is better than one that requires interdepartment cooperation."

4. Reinvent The Widget
Redundancy is, without a doubt, the biggest money sinkhole when it comes to compliance spend. And it exists everywhere. On the technology side, many heavily regulated businesses have become a graveyard of old technology due to the aforementioned propensity to buy for a feature list and find the technology is broken or won't scale.

"When I worked in professional services, it was not uncommon once I arrived on-site to find unused systems -- systems that had not been kept current with the environment. Some companies had even forgot the passwords to use for login as administrator," Creech says. "Those particular solutions were very expensive and averaged nearly $1,000 per IP."

Technology also goes underutilized when niche products that do work overlap in functionality.

"Often, personal preference, vendor lock-in, or suggestions from the auditor conspire to cause organizations to run many redundant and unneeded systems," says Ron Gula, CEO and CTO of Tenable Network Security. "These systems are often implemented with a sliver of their actual feature set, so the organization gets little benefit from the product or its security capabilities."

Such disarray on the technology side is actually a symptom of a larger redundancy problem, rather than the disease itself. Often the duplicative widgets are a result of multiple compliance project managers chasing down multiple regulatory objectives without any kind of overarching strategy. Nip that behavior in the bud and you'll soon weed out the technological excess.

"Many leading organizations have spent significant time and energy on individual aspects of compliance, but have failed to realize a comprehensive, integrated governance, risk, and compliance operational framework," Harkness says.

5. Ignore The Cloud
After spending an arm and a leg to create a secure and compliant on-premises infrastructure, organizations can still find themselves on the wrong end of the auditor's pen if they choose to ignore cloud infrastructure or don't even know their users are pushing data out to the cloud.

"Since SaaS applications are so easy to purchase, many IT organizations do not have a clear picture of how many seats of various cloud applications are truly being used within their enterprises," says Gerry Grealish, vice president of marketing and products for PerspecSys. "This unawareness allows for gaps in compliance and, more importantly, overall data security."

In order to ensure compliance stretches across all the infrastructure where regulated data sits, it is critical to inventory and evaluate the cloud platforms that are already in use, Grealish says.

"The next step is to determine what information is being stored and processed in these clouds, and to put the compliant data protection model in place to ensure sensitive and private information is being properly safeguarded," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BJANACEK079
50%
50%
BJANACEK079,
User Rank: Apprentice
6/5/2012 | 5:00:40 PM
re: 5 Ways You're Wasting Compliance Dollars
Your article is spot on.- I'd like to add another common scenario to support your findings.- Organizations typically look at compliance on a per project basis, and as a result, spin up multiple independent silos that don't interoperate or work in a consistent manner.- The result is increased costs and complexity, and reduced compliance.- For example, email encryption is typically its own project, as is ad hoc file transfer for employees.- And neither is typically designed to integrate with the managed file transfer (MFT) solution deployed to allow systems to securely communicate.- Standing up three different silos just for the purpose of securely exchanging data with customers and partners is the norm, but it is an unfortunate-relic of a piecemeal-based approach to IT compliance.- Fortunately, technology has evolved to allow a unified approach to sensitive data exchange.

-Bob Janacek, CTO
DataMotion.com
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.