7 Routes To Reducing The Compliance 'Tax'

Complying with security standards and regulations is a cost of doing business, but through smart practices that cost doesn't have to be so high
5. Automate And Embed
Automating compliance reporting and building controls directly into operational technologies rather than adding additional blocking layers are key to reducing time on audit-related activities. According to Ely, in his time as CISO of TiVo, these strategies helped his firm reduce compliance and audit-related costs by 60 percent.

"To move security forward and overcome the compliance burden perception, we must focus on the positive benefits, reduce cost, and minimize operational overhead through automation, repeatable practices, and highlighting how businesses can benefit from the new processes and controls," Ely says

For example, documenting user access to applications and data stands as one of the most expensive aspects of proving compliance. But automation can greatly reduce the costs around this IAM-related regulatory requirement.

"Access certification is a very complicated, labor-intensive process that involves IT, infosec, the line of business and audit (and) compliance teams," says Deepak Taneja, CTO and founder of IAM firm Aveksa. "By automating this process, companies can actually turn access certification from a tax to an asset by making it much a more efficient process that delivers business value to the company and makes the enterprise more secure.

Similarly, costs tied into security-related tasks such as manual approval processes and password management can be diminished through self-service capabilities.

"Implementing self-service capabilities for information security-related tasks reduces the burden on IT while improving security as long as workflows are enabled because the appropriate approvers are engaged directly," says Ryan Ward, chief innovation officer for IAM firm Avatier.

6. Don't Boil The Ocean
Compliance costs can spiral out of control when organizations try to implement controls across too broad a swath of IT infrastructure. Don't boil the ocean and tack controls on all applications and systems at once, warns Marc Boorshtein, CTO of Tremolo Security.

"Focus first on covered applications that require compliance and then look at process improvement to increase the value of the system," he says.

For example, when SOX compliance projects were first being rolled out in the enterprise, many chose to try to use identity management systems to manage identities in every application instead of just covered applications, he says.

"This lead to massive project implementation delays," Boorshtein says. "Enterprises would eventually only handle covered applications with a bad taste in their mouth from the implementation, which in turn would discourage them from continuing to invest in getting additional applications on board."

That lead to the identity management software incurring a very high cost per application to implement, he says.

"If done correctly your costs should decrease as you add applications, increasing the value of the system," he says.

7. Require Secure Software Development
Organizations could save a ton of compliance dollars and countless security headaches if only software projects were governed more by the directive that " "Software must be secure against at least the OWASP Top 10, WASC 24, or similar" than the one that states that "Delivery is mandated by date, and any delay will come with penalties," says Joshua Marpet, managing principal of Guarded Risk, a data security and forensic consultancy.

"People do what you pay them to," he says. "If our software projects were paid to be secure software projects, instead of fast -- (and) probably shoddily -- then regulatory compliance would be much easier, cheaper, and simpler."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.