Risk // Compliance
2/8/2013
12:48 PM
Connect Directly
RSS
E-Mail
50%
50%

7 Routes To Reducing The Compliance 'Tax'

Complying with security standards and regulations is a cost of doing business, but through smart practices that cost doesn't have to be so high

Sometimes that myriad of security regulatory requirements can appear to enterprises as a burdensome compliance tax on the business. The checklists, baselines, standards and rules at play continue to add up and without a strategy in place, it might seem like the cost of complying outweighs the consequences of ignoring them. However, meaningful adherence to the spirit of the laws -- actually improving the risk posture of the organization -- brings a lot of business returns beyond the satisfaction of auditors

"Compliance mandates have been introduced to force businesses to think about security and privacy rather than risk the personal data of their customers and value of their shareholders," says Adam Ely, COO of Bluebox, former head of security and compliance at TiVo and former CISO of the Heroku business unit at Salesforce. "In reality, the cost of compliance is a cost of doing business and one that should have been realized all along."

As for that compliance tax, it doesn't necessarily have to be as expensive as some believe it to be. There are a number of strategies, tools and practices that can greatly reduce associated costs. But before tackling those, remember to look up and see the forest for the trees. Information security professionals can be a bit myopic in how they view compliance, looking at it strictly as a technical issue, says Tim Erlin, director of security and risk strategy for nCircle.

"But it's a business problem," he says. "Businesses can avoid compliance requirements with cost-driven strategies, in the same ways they reduce their corporate tax burden. One example of this kind of strategy is the decision to avoid PCI compliance by outsourcing credit card processing so you don't actually store any credit card data."

1. Think Top-Down Vs. Bottom-Up
Organizations that view compliance as a function of risk management activities rather than the other way around tend to better keep their compliance costs in check, experts agree.

In a lot of cases, a top-down approach can help organizations reduce costs by as much as 25 to 45 percent, says A.N. Ananth, CEO of EventTracker.

"Use a top-down, risk-based approach instead of an overly detailed, bottom-up assessment," says Ananth, citing two recent releases by the Public Company Accounting Oversight Board (PCAOB) as a good place to look for proof on why and how it works. "The PCAOB has identified the primary drivers of cost to be the scope of the internal control audit and the amount of management testing being performed."

In simplest terms, many describe this as a "test-once, comply-to-many" approach, says Torsten George, vice president of worldwide marketing, products and support for risk management firm Agiliance, who believes that instituting security controls and then cross-mapping them to individual mandates is the most efficient approach.

"This allows IT staff to document compliance to multiple regulations and mandates using fewer steps and resources," he says.

[Are you measuring all of your compliance ROI? See 5 Hidden Benefits of IT Compliance Programs.]

Key to cross-mapping is the institution of quality security metrics. Repeatable and understandable means for measuring security performance will greatly streamline the audit process, Erlin says.

"Compliance is about audits, and audits are about measurement. If you're already have a security program in place, there's a good chance you're close to being compliant but you have to articulate this to an auditor," he says. "If you're regularly measuring your security performance you're way ahead of the game."

Not only could a top-down approach offer compliance cost-savings, but it also stands to drive ROI from security activities

"The flip-side to regulatory pressures on security preparedness being a tax is that those companies that are prepared will have a competitive advantage," says Gant Redmon, general counsel and vice president of business development for Co3 Systems. "The companies that possess the tools and competence to know what security measure they have in place, benchmark their security preparedness, and have incident response procedures in place will experience regulations as validation of their efforts."

2. Continuous Monitoring With A Caveat
Continuous monitoring has quickly gained steam as a tool deployed to improve the dexterity of risk management and compliance activities. But continuous monitoring alone won't necessarily guarantee cost savings on the compliance front, says Yo Delmar, vice president of GRC solutions at MetricStream.

Without some sort of centralized platform to synthesize information from those feeds and correlate them to policies, standards, configuration baselines and regulations, the benefits won't be realized.

"Continuous controls monitoring can dramatically reduce the burden of compliance for information security if and only if IT GRC platforms also map to regulatory requirements," she says.

3. Use Data Classification To Your Advantage
You don't want to put a $200 fence around a $5 asset, but in the same vein it doesn't make sense to put a $5 fence around a $2,000 asset, says Caroline Wong, director of regional product management for risk and compliance at Symantec. Without data classification, though, it is difficult to make financial value-based judgments on where to invest.

"Businesses should manage security and compliance like any other aspect of the business, the investment has to make sense for the business," Wong says. "It all comes down to proper data classification -- assess which assets are important to the company and protect them accordingly."

4. Examine Security Tools With Circumspection
Often the burden of security and compliance is wrapped up in how much expertise is needed to run the controls put in place and what kind of performance hits those controls will place on IT infrastructure. Organizations should not just be looking at how much tools cost, but also what kind of expenses they'll incur once deployed.

"Organizations typically focus on the capital expenditure but underestimate cost of ongoing administration and/or change management," says Oliver Wai, product manager for Barracuda Networks, explaining that complex tools are not always the best option. "Select a solution that is flexible and easy to administer. In fact, complex solutions are often riskier solutions due to misconfiguration by administrators."

Similarly, organizations should be seeking controls with performance requirements that match the organization's capability to meet them.

"Often organizations are wildly optimistic in projecting traffic requirements or performance needs," he says. "Analyze the network or application performance before selecting a solution."

Next Page: Automate And Embed

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kurt Johnson
50%
50%
Kurt Johnson,
User Rank: Strategist
2/12/2013 | 9:44:55 PM
re: 7 Routes To Reducing The Compliance 'Tax'
We agree with and would recommend that businesses analyze potential risk associated with user access on a continuous basis to determine whether the right people have the right access to the right information and resources, and are doing the right things with that access.

This gives businesses the insight needed to uncover deeply embedded policy violations or improper access, and take action to remediate before failing an audit or falling victim to a security breach. The continuous monitoring also enables more of a security focus, rather than a scheduled audit event.-á By looking at this information continuously, the organization can be better prepared to respond to auditors without it being an all-hands effort come audit time.
- Kurt Johnson, Courion
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.