Fortunately, many of these compliance demands overlap--even if the language describing them may vary from regulation to regulation. Unfortunately, most enterprises can't seem to get their acts together enough to take advantage of the duplication. All too often compliance efforts are so fragmented into individual initiatives that organizations reinventing the wheel every time they are up for the next audit.
"Many of these organizations have multiple regulatory requirements they have to meet, be it HIPAA, SOX, certification accreditation, and things like that," says Tom Dimtsios, senior director of cybersecurity consulting at Telos. "It takes a large-scale effort to tie these multiple regulations together and try to figure out where you're going to get the most bang for your buck. The security practitioner has to go through and say this regulation is the same as this one and that regulation is the same as that other one. And in many cases the practitioner doesn't have the time up front to do all that."
But the alternative may actually be sucking up even more of their time than taking a step back and finding the redundancies. When organizations take on compliance with each regulation one by one, they end up repeating actions and controls, buying too-specific and duplicative technologies and draining resources away from security activities that really address risk.
"Of course the response to that is to unify your controls. Look at the set of audits you have in place, about what they have in common, pass that once, and use the same report over and over," says Dr. Mike Lloyd, CTO of RedSeal Systems. "This doesn't come cheap, it takes effort to do this but it can be done."
In many cases, companies can grease the skids and make the hunt for similarities in controls a little bit easier by using some kind of third-party framework around which they can develop their organization-specific security policies. These can either be governance frameworks such as ISO 17799 or COBIT, or compliance-focused frameworks such as the Unified Compliance Framework (UCF).
"Some of these frameworks make great strides to say this requirement meets that regulation and this meets that other one," Dimtsios says.
On the front-end, these frameworks will require a lot of resources to implement, so it will be important to communicate the value of the project to upper level management in order to snag some extra budget to bring in outside help.
One of the biggest returns to tell management about will be the ability to adjust on the fly to new requirements from regulatory updates or brand-new laws. Once a framework is set up, it is much easier to marry up the new required controls against them and keep compliance costs from multiplying every time the regulators get a bug in their bonnet.
"Being able to clearly see the many commonalities that exist when this information is unified is a real eyeopener," says Dorian Cougias, founder and lead analyst of Network Frontiers, the company that developed UCF. "It’s unfortunate that companies continue to waste time and money reinventing the compliance wheel each time a new rule is introduced or an old guideline is updated."
More importantly, though, the act of mapping out controls can help the organization more closely match overall security goals with compliance goals. As any security expert on the planet will tell you, achieving compliance is no guarantee that you'll achieve security.
"If you can close the gap between security and compliance, that's obviously a win. I talk about there being a 15-degree difference between what you do to be secure and what you do to pass your audit," Lloyd says. "A lot of companies tell me the difference is bigger than that, but to be conservative, I'll say 15 degrees."
That degree of difference is usually a byproduct of putting the cart before the horse. Organizations tend to get the order of operations backwards, by first establishing controls to meet compliance objectives and then, perhaps, backfilling with more robust controls to manage risks specific to the business. This usually leads to redundancies in some areas and serious security lapses in others.
Ideally, organizations should first decide on the biggest risks to the organization and the controls needed to mitigate them. Then step two should be to match those existing controls to the compliance mandates the organization must meet. Any existing gaps where compliance requires something that the existing controls don't satisfy can then be added after mapping the controls overlap.
"If your objective is just to be compliant, then you can do that, but it is going to cost more down the line to maintain that compliance versus if your objective is to secure your business first," says Michael Figueroa, senior vice president at security consulting firm InfusionPoints. "That is going to be more investment up front, but it's going to be much easier to maintain and much less investment down the line in order to maintain various levels of security and compliance."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.