There have been a number of reports stating concerns that IT’s focus on regulatory compliance may harm its security posture. While there may be many groups concerned about this, we need to step back and realize that regulatory compliance is a risk to be managed just like any other and that many regulations require varying degrees of IT security.
Organizations face a great number of regulations that they must comply with and they don’t always agree with one another – especially when you cross country borders! The goal is not to be in 100% compliance – the goal of the organization is to make money in a sustainable manner. This creates a tension between them and when coupled with the human ability to be diverse, even when following standards, that pretty well guarantees organizations never will be in total compliance with all the laws and regulations they face.
Instead, to maximize resource utilization, regulatory compliance should be viewed as a risk that must be managed the same as all the other risks to the business. In other words, the need for certain facets of compliance must be weighed against other risks, and resources must then be invested appropriately.
Unfortunately, we do not live in a risk-free world with unlimited resources, and management decisions will constantly need to be made about what risks to address, mitigation options and associated costs.
Living With ‘Residual Risk’
It is important to understand that risks are managed, not eliminated. Management will invest resources to the point that they are willing to live with the risk that is left over, what is known as the “residual risk.” Their goal is not, and should not be, to always eliminate risks.
This perspective means that some security and operations people will be in the unsettling position of living with a risk they do not agree with. In the fight for scarce resources, the opportunity costs of compliance in some situations are consuming resources that security would otherwise have pursued because management felt that the particular regulatory risk in question warranted the investment.
Shifting our focus to another angle, when we actually look at what is entailed by being “compliant,” we find that a great number of regulations actually require, or expect, security. In other words, regulatory compliance in many cases necessitates sound security practices.
Sarbanes-Oxley mandates that management is responsible for effective internal controls over the integrity of financial reporting. To safeguard the critical financial systems necessitates security commensurate with the risks. The Safeguards Rule of Gramm-Leach Bliley Act expects customer information to be protected as do the various state privacy laws, and so on.
Again, to comply with these regulations requires effective information security. Rather than a question of compliance versus security, perhaps the problem at hand is one of efficiency and working on tasks that seemingly take unnecessary amounts of time to complete. If there are issues about manual processes and tedious paperwork, then those are management issues that need to be identified and dealt with.
Regulatory compliance and controls are new topics for IT and groups are at various stages of learning what is needed to comply and how to make those processes efficient. As compliance requirements become better known and internalized, the potential for automation increases.
For example, on one hand, forms seem to exist for compliance. On the other hand, they are formalized documentation of processes that long have been needed in many cases to ensure that the proper activity is taking place, that there are the proper permissions, approvals, etc. Paper-based manual forms that are FAXed and sent inter-office mail can be reviewed for replacement with online workflow systems that not only enforce the movement and rules but also automate the generation, storage and retrieval of evidence for audits. Manual log review can be automated with monitoring and alerting tools not only for compliance but also to improve security postures.
Reviewing systems for changes can be automated with integrity management systems, thus improving security, availability and compliance. The list goes on and on of how prudent activity benefits compliance and security, not to mention operational benefits such as the aforementioned improvement in availability stemming from effective change management processes.
In closing, regulatory compliance, security and even operational improvements are not mutually exclusive domains. Indeed, there is considerable overlap. In deciding where to invest time, resources and money, organizations must factor in all of the risks it faces, including compliance and security, when it is determining what risks need to be mitigated and how.
The need to continuously improve on all fronts will not go away and instead organizations must learn how to optimize investments with the relevant risks in mind moving forward.