Security Experts:

Meeting Compliance is Overrated—Manage Risk!

Meeting Compliance is Overrated - Manage Risk! Efficient, Effective Risk Management is the Key to Ensuring the Possible Security Posture and, by Extension, Meeting Compliance

Security risks to your computer networks and systems are everywhere. Cybercriminals around the world are constantly targeting and probing enterprise networks, with the intent on penetrating them and committing their dirty deeds. What’s worse, these threats are continually evolving, complicating efforts to stay a step ahead.

Checkbox Compliance Equals Risk

Despite all the security breaches and malware exploits making headlines, that’s not what’s driving information security in companies today. It’s government and industry regulations like PCI, SOX, HIPAA, GLBA, FISMA and others. And while misguided, it’s somewhat understandable, as these regulations are meant to establish a baseline of security for organizations handling sensitive information.IT Risk Management

The problem is that, while thinking they’re adequately securing their networks and systems, many organizations are simply stuck in a “checkbox mentality” of meeting regulatory compliance. You know, ticking off a checklist of audit requirements for each regulation they’re subject to. Now, this strategy certainly might help them pass audits, but it doesn’t really address the very real threats that are looming, waiting to exploit existing vulnerabilities. And it doesn’t adequately secure the people, assets and data the company needs to be protecting.

In fact, some of the most highly publicized information breaches have taken place not long after the affected companies passed compliance audits. It seems that the IT organizations were so focused on the audits, they missed the bigger, more important picture of ensuring corporate data security by effectively managing risk.

Achieving reliable information security needs to be based on real-world risk management, not artificial metrics.

The Complications of Compliance

Worldwide, there are some 500 different government and industry regulations in existence. In fact, it’s not uncommon for a single company to be under the purview of more than 100 of those regulations, depending on its industry and where it does business. In addition to those, the company likely has its own internal corporate governance policies to abide by.

However, it’s not just a matter of overwhelming numbers of different regulations. One of the tougher challenges facing organizations is the fact that regulations not only differ, but they also sometimes contradict one another between geographical boundaries. Any business operating in more than one state or country needs to address these reporting differences through policy and IT controls that enable compliance with each standard.

IT’s a Hard-Knock Life

Without the right controls in place for securing the enterprise and ensuring compliance, IT is left scrambling day after day, handling one fire drill after another. In this reactive mode, how can anyone be certain of the company’s security posture? What if an out-of-band patch comes along? How do IT staff know which systems need it? Even during a normal Patch Tuesday, how do they determine if all the systems need the fix right then and there? The so-called “spray and pray” method, where IT staff simply deploy everything they can, isn’t effective. In the end, IT spends so much time reacting to threats and patching, they can’t get onto any longer-term strategic projects or address other critical needs.

Companies that take this approach soon find that it’s simply unsustainable, as every year introduces a new set of regulations and updates to existing ones. Trying to keep up winds up consuming too much time, effort and money—and security is still never ensured.

It Comes Down to Visibility

According to the Enterprise Strategy Group, “More than 40 percent of respondents believe that their organization is either unaware of risks or unprotected against them.” I find that statistic simply staggering!Risk and Compliance Management

You need to be able to see everything that contributes to the risk equation: threats, asset criticality, vulnerabilities and in-place countermeasures. Effective risk management depends on real-time, end-to-end knowledge of everything in the risk equation. Only when you have this visibility can your company begin to effectively understand risk and optimize security controls to mitigate it. You can also prioritize security efforts while eliminating the manual and time-consuming process of correlating threats to critical systems.

Why is this so important? Let’s say there’s a new emerging threat, but you don’t know what defenses are deployed on each of your systems. How do you then know which systems are vulnerable? How do you know where to focus your IT efforts?

Visibility into risk is difficult to achieve. And unfortunately, most companies don’t do it well. In fact, in an IT security industry survey conducted by Evaluserve, 97 percent of organizations felt that they do not have full visibility into their IT risk posture.

So Where Do You Start?

Start looking at your enterprise security from a threat perspective. Develop a comprehensive, proactive, sustainable strategy for gaining visibility of threats and your in-place countermeasures.

Work with vendors who will look at all available threat research and serve up the information that you need to protect your company, people and data. Once you have that information, you can then make intelligent, informed, risk-based decisions on where and when to commit resources.

Finally, put controls in place that allow IT staff to evaluate threats and assess risk, identify and classify systems, and prevent exploitation of vulnerabilities.

Taking these steps will help radically improve your organization’s security posture. As a result, compliance will then naturally fall in line, as will improved business productivity.

The Ideal

So what does it all look like in the end? Well, ideally, you would have a centralized management console that would integrate all your various countermeasures and provide single-pane awareness of your security posture as well as compliance status.

Integration is vital here. When evaluating security and compliance solutions, you should choose best-in-class solutions that would integrate products from the same vendor as well as third-party vendors. Any component that didn’t integrate would create security risks and adversely affect IT efficiency and your company’s ability to scale compliance efforts.

Automation is also key. Ideally, the IT environment would automatically adjust to the evolution of threats. As new threats emerged, your environment would adjust to prevent them from doing harm. Patch management would also be automated, preventing holes from opening up.

With the right controls in place, you would always stay ahead of threats. Your IT organization would also be equipped to scale to handle tens and hundreds of regulations.

Companies who are successful with risk management establish consistent, repeatable processes. Security becomes second nature. And audits are made simple. In fact, some companies become so proficient with risk management and enabling continuous compliance that their internal audit reports are accepted by external auditors as proof of compliance. You can imagine the savings.

Cultivating a Culture of Security

You’ve heard the old saying that “life’s a journey, not a destination.” The same can be said about risk management. It’s not enough to simply put a few slick security controls in place and getting IT to use them consistently. You need to espouse a culture of security across your company that starts with managing risk. It doesn’t do much good to have the tightest possible security controls in place, pass every audit with flying colors—and then be tomorrow’s headline for having been breached. Believe me, it happens.

Remember that people are a part of the security equation, too. By getting them involved early and educating them regularly—as well as motivating them to improve security, continuous compliance becomes easier.

Manage Risk to Ensure Security and Meet Compliance

Efficient, effective risk management is the key to ensuring the possible security posture and, by extension, meeting compliance. Too many companies are caught up in a “checkbox compliance” mentality or just “spraying and praying” that they get the threats before the threats get them. As we’ve seen, that approach simply isn’t sustainable.

Start a program in your company to gain visibility of threats and vulnerabilities, and put controls in place to mitigate your risks. With the right controls in place—integrated, automated controls that take the guesswork out of when and where to focus security efforts—you’ll be able to boost security and ensure regulatory compliance, while saving time and money.

view counter
Gary Davis manages the Risk & Compliance portfolio of products at McAfee. Prior to joining McAfee, Davis worked in marketing and product management for 17 years, including more than a decade in executive management. During this time he developed and implemented successful global strategies and plans to achieve high-revenue growth, improved profitability, and sustained customer value for security, social networking and B2B integration companies.