The security community spends a lot of time worrying over the hidden costs of compliance and risk management programs--but what about the hidden returns? Creative technology executives can often find ways to gain far more value beyond risk mitigation or regulatory conformance from the monitoring and policy enforcement technology and procedures they put in place to support an IT security compliance program. They just need to know where to look. According to governance, risk and compliance experts, there are a multitude of likely places where enterprises can uncover added value from the compliance investments they've already made.
[ So what ARE the hidden costs of compliance? See The Compliance Officer's Dirty Little Secret. ]
"I like to stress to my customers that while most organizations initially purchase IT audit solutions to meet some compliance need, they should recognize the value of the data they are collecting and attempt to find way to use this data to eliminate waste," says Jason Creech, director of policy compliance for Qualys.
1. Asset and License Management
One of the most immediate hidden benefits of automated compliance and audit programs is the visibility that related technology investments can bring to systems and software usage patterns. This information can be used to identify little-used systems ripe for the chopping block or opportunities for greater investments in licensing or upgrades. For example, Creech says he worked with one enterprise that saved close to $2 million simply by eliminating systems that their audit tools had shown had not been logged into in over a year.
"IT GRC programs with precise knowledge of exactly what version software is running on each end-point can give very accurate estimates when planning or justifying an enterprise-wide software upgrades," says Tim "TK" Keanini, chief research officer for nCircle. "This data also helps govern commercial license agreements and effectively monitors open source software deployed on the network."
In this age of stiff penalties and lawsuits meted out by the Business Software Alliance (BSA), the added value that an audit tool that can double as a tool for enumerating not just licensed applications being used, but also unlicensed can pay big dividends in avoiding more than malware risk, Creech says.
"I am sure any organization would want to know how prevalent unlicensed app usage is in their environment before the BSA knocks on their door," he says.
2. Streamlined IT Ops
Often the deployment of security monitoring tools to satisfy compliance requirements can bubble up a whole host of surprising results that may not have any security implications whatsoever, says Matthew Gardiner, senior manager in RSA's Security Management and Compliance unit.
"As a result of their efforts to apply security analytics to detect anomalous (or) risky activity, they often discover people, processes, and systems that they didn't know about and that are often inefficiently deployed and managed," he says. "The security teams efforts to improve IT controls from a security point of view often lead to improved controls from a purely operational point of view."
Take firewall management, for example. Many organizations today are deploying automated firewall management solutions to comply with requirements set out by mandates like PCI DSS, primarily to ensure that undiscovered rules aren't introducing unnecessary risk of exposure to the network. But in so doing, they also often end up discovering a whole rats' nest of duplicate rules that greatly impede network performance, says Mark Jones, CEO of security service provider SOS Security.
"The throughput on their firewalls run so much cleaner and so much faster," he says, explaining that he's seen many a case where the firewall administrator believed the organization needed to upgrade the firewall only to discover it wasn't the software that was the problem, "it's just that they had too many damned rules."
According to Caroline Leies, managing director at MorganFranklin, she once worked with a client that was able to reduce the cost of IT controls by 10 percent as a result of unexpected dividends from compliance-related monitoring.
"During the course of monitoring backup controls and processes an organization identified opportunities to switch back-up operations to a much more efficient process involving fewer tape exchanges," she says.
In a similar vein, database monitoring tools popular with many compliance and risk management professionals to keep tabs on sensitive data stores can also double as database performance tuning tools as well.
"By analyzing the audit trail, organizations can detect changes to their database schema, permissions and dependencies," says David Habusha, vice president of research and development and products for GreenSQL. "These changes can be a data feed to CMDB or SKMS systems and can be correlated with application roll-outs, performance and/or availability deviations and assist with root-cause analyses. It can also help customers to automatically document schema changes, auto rollback versions and alert on exceptions from software change management processes."
3. Network Intelligence and Troubleshooting
Monitoring utilities like security information and event management (SIEM) tools are great for correlating security incidents, but they're also quite useful as troubleshooting tools during network-wide deployment projects, says John Mensel, director of security services for Concept Technologies. He believes that the comprehensiveness of logs kept for compliance purposes, combined with the analytics of SIEM can give many organizations a big boost in identifying technical issues in a hurry.
"Having that capability to monitor deployments centrally and correlate log events as the deployment occurs greatly speeds time-to-resolution on problems that might otherwise be difficult to troubleshoot," he says.
Similarly, automated vulnerability assessment tools so valued by compliance programs also provide "substantial hidden value," he says.
"These tools provide a wealth of network intelligence above and beyond vulnerability data, and can serve as an effective double check on other tools," Mensel says. "I frequently employ Tenable Nessus as an inventory audit tool: by comparing the results of network-wide Nessus scans against results generated by my primary inventory tools, I often find devices and software that I would otherwise have missed, a big bonus."
4. Keeping Outsourced Vendors Honest
Many enterprises that depend on outsourcing firms to handle the bulk of their IT operations still retain control of their compliance and risk management functions for security reasons. In situations like that, the automated tools running the compliance program can offer a lot of valuable data useful in managing outsourced providers, Keanini says.
"The data gathered can produce factual evidence on the delivery of SLAs," he says. "In addition, the customer has superior situational awareness of what is on the network and precise information about how effective the outsourcing firm is at minimizing risk exposure."
5. Business Intelligence and Process Improvement
Perhaps the most impactful hidden benefit of compliance programs to the overall bottom line of the business are the analytics that can offer actionable data to improve business processes.
Leies has witnessed several examples at client organizations of these kind of positive side effects working their magic within line-of-business units. For example at one organization, a business process owner who had been self-assessing controls for two quarters for compliance purposes was able to pinpoint a trend and realized there were more efficient ways to process inventory receipts and transfers at the organization.
"They utilized the process documentation in order to assess the current process and identify how to streamline," she says. "The finance department eliminated several process steps and reduced cycle time and cost while improving physical inventory accuracy."
In another instance, the treasury department of a large organization found better ways to manage accounts after examining the controls around all of their cash accounts for compliance reasons.
"[They] identified three accounts that would be better managed as concentration accounts," she syas. "Efficiency and ROI were both improved over the subsequent months."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.