Despite economic pressures, compliance programs are getting funding because companies have no choice. Adam Ely, a former senior information security manager at Disney turned consultant, sees companies saying, "Let's do what we have to do to get through the next audit." That mind-set increases spending for and awareness of compliance, consultant Pironti notes, but it subverts the discussion about ongoing risk management.
Not everyone sees an increase in spending on compliance. Mike Healey, president of integrator Yeoman Technology Group and an InformationWeek contributing editor, notes that as tech funding and staffs are kept flat or reduced, even compliance audits are back-burnered "because audits aren't front-line defense." Two years ago, Healey says, "organizations had audit schedules or did it themselves. Today, they're prioritizing efforts elsewhere."
Beyond regulations, federal, state, and local laws also affect security spending. Breach notification laws didn't tell companies how to protect data; they just require that companies tell their customers when they've lost their custom- ers' data. But because no company wants to end up in a data-breach headline, those laws have been among the biggest drivers of information security spending. Similarly, laws in Massachusetts, Nevada, and other states for protecting personal information on devices containing sensitive data will certainly drive up spending for any company doing business in those states.
Security vendors are creating products to meet the new laws and regulations, but watch out for snake oil. "The side effect of compliance is that a lot of vendors are just repurposing old products as compliance solutions," says consultant Ely. "The repurposed products are claimed to solve items on the PCI checklist or standard governance, risk, and compliance initiatives." Even the governance, risk, and compliance software market, where products help you score, assess, and manage risk, is seeing an explosion of new products--not all of which are particularly useful.
One practice that Ely sees as increasingly popular and useful is data masking, a process that replaces sensitive data with legitimately formatted fake data. Here's how the practice works. Organizations have to test new applications and application patches on test systems before applying them to live systems, and they have to protect private data. Developers and testers--particularly those outside a company holding sensitive data--shouldn't be allowed to view private data, but they have to work with valid data to test their applications and patches. Data masking, for which there are many techniques and products available, generates valid but obfuscated functional data. It's a relatively straightforward process that should be employed for outsourced development tasks.
Ely also sees enterprise rights management as an increasingly useful technology because ultimately you need to manage access to data wherever it resides. Rights management controls who can do what to data. Policies define the controls required to read, write, or modify a document. Often the data is secured via encryption, so if it's sent outside the realm of the digital rights management system, it can't be viewed.

Work To Do
Robert Richardson, director of the Computing Security Institute, thinks there's still work to be done in the more mundane parts of security, like log management and how it relates to security and compliance. "In many cases where there is a breach, there were flags indicating a breach but they were never noticed," Richardson says. "It's like trying to find a needle in a stack of needles because most events look pretty much the same. Practitioners tell me they have a hard time getting the funding for log management because it sounds dull, but it's a necessary tool." Log analysis tackles a number of challenges, from simply getting all the logs in one location, to normalizing them, to understanding what the logs are saying and then correlating individual entries to a particular event.
Southwest Washington Medical Center makes extensive use of its health application logging facilities, says Christopher Paidhrin, the hospital's IT security and compliance officer. "Actions like accessing or modifying records are recorded so that in the event of an incident, we can trace an employee's steps," he says. "Most improper record accesses are accidents, and we can see that from the short duration of the access and the lack of a pattern of unauthorized access attempts when a mistake is made."
Paidhrin admits that much of the hospital's log monitoring is reactive, but like all security programs, it's evolving. Simply managing the volume of events and making sense of the relevant ones requires going beyond log management software to correlate discrete events into security alerts.

As we concluded after last year's Strategic Security Survey, don't focus on tactical missions like regulatory compliance and cloud computing; focus on the strategic mission of information security via risk management. Whether your sensitive data is in your own data center, in a cloud service, or replicated between the two, the same privacy requirements apply. Prioritize your risk requirements, determine which steps must be taken to protect your information, and then figure out what technology, product, or processes you need to mitigate your risk.