Compliance budgets are high on the agenda of every CISO and CIO. New regulations to comply with, new environments to audit, and new requirements to support are expensive line items. However, unintuitive as it may sound, many organizations are actually doing more than they need regarding compliance. Some call it overcompliance, and it is an emerging concern among many companies, calling for closer examination.
Compliance is hard. Companies working to comply are facing a wide range of requirements introduced frequently. To keep up, they are pushed to manage many tools, dynamic and changing infrastructure, and applications. This includes, among other responsibilities, staying on top of security testing, patching, user management, logging, and third-party vendor management. From a user perspective, these highly regulated environments are more restrictive and tend to be less comfortable to freely work in. So, what makes companies overspend on compliance?
For many companies, overcompliance doesn't happen overnight. Consider, for example, one of our customers, a financial institution. "When we first started our business, we made the strategic decision to scope our entire production environment," says the CIO. "With a small overhead at the time, it made sense to keep all the systems in scope." But fast forward 10 years and that production environment, which was already hosting many out-of-scope systems, now had more than 60% of its servers unnecessarily "burdened" with software licenses, authentication controls, and auditing hours required for compliance. He estimated this "overcompliance" cost the company hundreds of thousands of dollars annually.
The key to a successful audit is scope. One of the biggest mistakes we see companies make is to start applying compliance control without truly understanding what should be considered in scope. This often leads to "scope creep," one of the leading causes of audits spiraling out of control, and which may also result in significant delays and costly expenses. To avoid scope creep, customers need to separate their virtual environments (VLANs), but this is often a task that's so time-consuming that it's easier to just maintain the entire VLAN and apply regulation to all systems.
Take, for example, the European Union's privacy act, the General Data Protection Regulation, or its American counterpart, the California Consumer Privacy Act. A company that doesn't properly scope, whether to avoid the labor-intensive VLAN separation or for any other reason, may end up with large parts of its environment regulated with no real justification. As the company grows, more applications that have nothing to do with personally identifiable information are added to the environment, leading to excessive costs and burdens.
Organizations deciding to rescope their systems will face several challenges, including:
- Infrastructure complexity: How to operate in flat networks with different VLANs required for scoping.
- Lack of visibility: How to get visibility into the environment required to decouple the scoped from the out-of-scope systems.
- Downtime: How to avoid often-inevitable downtime to business-critical applications when moving applications across different VLANs.
To tackle these challenges, here are a few strategies that I suggest.
- Make sure to scope well only what needs to be regulated. Right-scoping the environment reduces audit and compliance burden.
- Having a great visibility or data-mapping tool can be greatly beneficial. Seeing the boundaries of your scoped area will benefit both your organization and your auditor.
- Consider various segmentation technologies to separate the in-scope from the out-of-scope environments. Modern segmentation approaches can help do this without getting into great investments.
- Finally, constantly evaluate the scoped environment to avoid scope creep using proven visibility tools.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."