Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


03:09 PM

Unifying Compliance Initiatives To Make Budgets Last

Don't reinvent the wheel with fragmented compliance initiatives

When taken regulation-by-regulation, compliance requirements can seem overwhelming as it is. But with enterprises facing regulatory mandates from anywhere between dozens to even hundreds of sources, the sheer volume of directives can seem crushing.

Fortunately, many of these compliance demands overlap--even if the language describing them may vary from regulation to regulation. Unfortunately, most enterprises can't seem to get their acts together enough to take advantage of the duplication. All too often compliance efforts are so fragmented into individual initiatives that organizations reinventing the wheel every time they are up for the next audit.

"Many of these organizations have multiple regulatory requirements they have to meet, be it HIPAA, SOX, certification accreditation, and things like that," says Tom Dimtsios, senior director of cybersecurity consulting at Telos. "It takes a large-scale effort to tie these multiple regulations together and try to figure out where you're going to get the most bang for your buck. The security practitioner has to go through and say this regulation is the same as this one and that regulation is the same as that other one. And in many cases the practitioner doesn't have the time up front to do all that."

But the alternative may actually be sucking up even more of their time than taking a step back and finding the redundancies. When organizations take on compliance with each regulation one by one, they end up repeating actions and controls, buying too-specific and duplicative technologies and draining resources away from security activities that really address risk.

"Of course the response to that is to unify your controls. Look at the set of audits you have in place, about what they have in common, pass that once, and use the same report over and over," says Dr. Mike Lloyd, CTO of RedSeal Systems. "This doesn't come cheap, it takes effort to do this but it can be done."

In many cases, companies can grease the skids and make the hunt for similarities in controls a little bit easier by using some kind of third-party framework around which they can develop their organization-specific security policies. These can either be governance frameworks such as ISO 17799 or COBIT, or compliance-focused frameworks such as the Unified Compliance Framework (UCF).

"Some of these frameworks make great strides to say this requirement meets that regulation and this meets that other one," Dimtsios says.

On the front-end, these frameworks will require a lot of resources to implement, so it will be important to communicate the value of the project to upper level management in order to snag some extra budget to bring in outside help.

One of the biggest returns to tell management about will be the ability to adjust on the fly to new requirements from regulatory updates or brand-new laws. Once a framework is set up, it is much easier to marry up the new required controls against them and keep compliance costs from multiplying every time the regulators get a bug in their bonnet.

"Being able to clearly see the many commonalities that exist when this information is unified is a real eyeopener," says Dorian Cougias, founder and lead analyst of Network Frontiers, the company that developed UCF. "It’s unfortunate that companies continue to waste time and money reinventing the compliance wheel each time a new rule is introduced or an old guideline is updated."

More importantly, though, the act of mapping out controls can help the organization more closely match overall security goals with compliance goals. As any security expert on the planet will tell you, achieving compliance is no guarantee that you'll achieve security.

"If you can close the gap between security and compliance, that's obviously a win. I talk about there being a 15-degree difference between what you do to be secure and what you do to pass your audit," Lloyd says. "A lot of companies tell me the difference is bigger than that, but to be conservative, I'll say 15 degrees."

That degree of difference is usually a byproduct of putting the cart before the horse. Organizations tend to get the order of operations backwards, by first establishing controls to meet compliance objectives and then, perhaps, backfilling with more robust controls to manage risks specific to the business. This usually leads to redundancies in some areas and serious security lapses in others.

Ideally, organizations should first decide on the biggest risks to the organization and the controls needed to mitigate them. Then step two should be to match those existing controls to the compliance mandates the organization must meet. Any existing gaps where compliance requires something that the existing controls don't satisfy can then be added after mapping the controls overlap.

"If your objective is just to be compliant, then you can do that, but it is going to cost more down the line to maintain that compliance versus if your objective is to secure your business first," says Michael Figueroa, senior vice president at security consulting firm InfusionPoints. "That is going to be more investment up front, but it's going to be much easier to maintain and much less investment down the line in order to maintain various levels of security and compliance."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.