"Businesses spend a lot of money on compliance and risk management. Effective compliance is a critical component of modern business, and the oversight environment is getting increasingly more complicated every day," says Geoff Harkness, managing director at MorganFranklin. "Rather than increasing compliance spend in direct relation to increasing oversight, businesses must figure out ways to make more effective use of future budgets."
[Sloppy firewall rules are costing organizations audits. See Poorly Managed Firewall Rule Sets Will Flag An Audit.]
Here's where Harkness and fellow security experts believe businesses should look to find the money they're wasting on compliance and audits:
1. Do Everything Manually
Doing something by hand may make sense in the kitchen or the workshop, but not in the data center. Today, IT departments waste time, money, and good marks with the auditors when they do their compliance audit and remediation work manually.
"Unnecessary waste occurs with companies who are using manual processes to conduct IT audits for all aspects of the audit," says Jason Creech, director of policy compliance for Qualys.
Tufin's chief security architect, Michael Hamelin, agrees. Manual processes not only take a lot of manpower to pull off, they also end up jeopardizing the state of compliance. It's the very definition of waste -- spending lots of money on a process that comes to nothing anyway. He says he has seen numerous customer prospects spend days on manual firewall audits for PCI only to see them knocked out of compliance with the next weekly firewall change window.
"Automation can play a huge part in aligning security and compliance goals by providing analytics and reporting that allows organizations to sync their efforts," Hamelin says. "When you can leverage automation to be preventative, over time it results in a more proactive and strategic approach to both security and compliance management, and instead of wasting money you create economies of scale."
2. Keep Your Left Hand Unaware Of The Right
If your left hand doesn't know what the right hand is doing, then compliance spend will be for naught. Communication is critical, particularly between IT operations and policy development employees.
"Any compliance drill that is executed as a check-the-box exercise is at minimally inefficient or partially wasteful," says David Wilson, director of cybersecurity strategy for Telos. "This is particularly true when the policy compliance folks are segmented from the operations folks. To achieve real benefit, compliance and operations efforts should be intertwined."
Without that work to intertwine them, mishaps are bound to occur. As an example, Creech told the story of one company he worked with that came to him complaining of auditors flagging the company on poor change-control documentation.
"It was discovered that a poor system image management process used in remediation was having an impact on the IT audit. In their organization, remediators corrected system issues by reloading images from a jump drive," he says. "'Remediator A' would fix the reported problem by loading an image, but if another issue was reported, another remediator may show up with his jump drive to fix the second reported issue, basically undoing remediators A's work."
By the time the annual audit took place, the change-control documentation did not represent the actual environment. "Nowhere close," he says.
3. Deploy For Features Instead Of Security Benefits
The sad truth about most compliance projects is that the typical goal is to create movie-set risk management: good enough for the cameras, but unable to stand scrutiny when you get up close to it. That means many products organizations buy are essentially throwaway items bought solely for their marketing feature list, no matter whether the claims are true
According to Phil Lieberman, CEO of Lieberman Software, organizations usually have the choice between two types of compliance solution.
"The first will not scale or work, but is provided by an appliance. The second requires integration into line-of-business infrastructure to close the holes," Lieberman says. "When approached with the two, the first solution is chosen because [they believe] a failure of a solution is better than one that requires interdepartment cooperation."
4. Reinvent The Widget
Redundancy is, without a doubt, the biggest money sinkhole when it comes to compliance spend. And it exists everywhere. On the technology side, many heavily regulated businesses have become a graveyard of old technology due to the aforementioned propensity to buy for a feature list and find the technology is broken or won't scale.
"When I worked in professional services, it was not uncommon once I arrived on-site to find unused systems -- systems that had not been kept current with the environment. Some companies had even forgot the passwords to use for login as administrator," Creech says. "Those particular solutions were very expensive and averaged nearly $1,000 per IP."
Technology also goes underutilized when niche products that do work overlap in functionality.
"Often, personal preference, vendor lock-in, or suggestions from the auditor conspire to cause organizations to run many redundant and unneeded systems," says Ron Gula, CEO and CTO of Tenable Network Security. "These systems are often implemented with a sliver of their actual feature set, so the organization gets little benefit from the product or its security capabilities."
Such disarray on the technology side is actually a symptom of a larger redundancy problem, rather than the disease itself. Often the duplicative widgets are a result of multiple compliance project managers chasing down multiple regulatory objectives without any kind of overarching strategy. Nip that behavior in the bud and you'll soon weed out the technological excess.
"Many leading organizations have spent significant time and energy on individual aspects of compliance, but have failed to realize a comprehensive, integrated governance, risk, and compliance operational framework," Harkness says.
5. Ignore The Cloud
After spending an arm and a leg to create a secure and compliant on-premises infrastructure, organizations can still find themselves on the wrong end of the auditor's pen if they choose to ignore cloud infrastructure or don't even know their users are pushing data out to the cloud.
"Since SaaS applications are so easy to purchase, many IT organizations do not have a clear picture of how many seats of various cloud applications are truly being used within their enterprises," says Gerry Grealish, vice president of marketing and products for PerspecSys. "This unawareness allows for gaps in compliance and, more importantly, overall data security."
In order to ensure compliance stretches across all the infrastructure where regulated data sits, it is critical to inventory and evaluate the cloud platforms that are already in use, Grealish says.
"The next step is to determine what information is being stored and processed in these clouds, and to put the compliant data protection model in place to ensure sensitive and private information is being properly safeguarded," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.