Preparing Enterprises for a New Era of Compliance
Massive amounts of digital data is being created every day from business transactions and personal data being put online – data that needs to be protected and secured. A Recent report projected a nearly 45-fold increase in annual data growth by 2020 and noted that one-third of all digital information will live or pass through the cloud. This massive growth of digital information is occurring during a time of increasing requirements to protect such information, and more transparency when there are failures in keeping data secure.
Significant changes in the compliance landscape have marked the end of business as usual, and compliance is now a serious board level concern. Despite significant progress in compliance and security programs within organizations, a new era is upon us with heightened compliance obligations, and organizations that don’t have the proper security controls will have to catch up quickly to in order to compete in the increasingly globalized economy.
Today, RSA, the Security Division of EMC (NYSE: EMC) released the latest research report from the Security for Business Innovation Council, taking an in-depth look at the complex web of new information protection regulations, reporting requirements, and third-party responsibilities that are dramatically raising the stakes for organizations around the globe.
The report, "A New Era of Compliance: Raising the Bar for Organizations Worldwide," describes the impact this new wave of legislation and legal obligations is having on business, sparking renewed board-level attention and forcing up-leveled strategies.
RSA and the Security for Business Innovation Council have highlighted the convergence of four significant new trends that are driving organizations to get much more serious about compliance.
Strengthened Enforcement - Although enforcement of information protection legislation has been weak in many jurisdictions worldwide, regulators are now strengthening it through expanded powers, higher penalties and harsh enforcement actions. Several states laws now mandate that encryption become effective within organizations that store certain types of customer information such as Personally Identifiable Information (PII), financial data or healthcare related data.
Global spread of data breach notification laws - Regulators are not just looking at ways to tighten up existing laws, they are introducing new laws aimed at forcing more transparency. Data breach disclosure is becoming a global principle as jurisdictions worldwide adopt privacy and data protection laws that include a general obligation to notify government agencies, individuals, and/or other authorities such as law enforcement of unauthorized access or use of personal data.
Increasingly Prescriptive Regulations - Breach notification laws are spreading across the globe. Another emerging trend is the tendency for legislation to get more prescriptive. New state privacy laws from Massachusetts and Nevada, which became effective in 2010 are arguably two of the most prescriptive information protection regulations faced by enterprises to date Growing business partner requirements - Responsibilities to assume business partner’s security is growing. Many existing regulations and standards call for organizations to assure that any third-parties which handle protected data employ adequate security measures. A recent wave of regulatory activity goes even further in establishing legal requirements for enterprises as well as their business partners to ensure the security of information. (Related Reading: Attack Surface Expanded by the Extended Enterprise)
“In a regulated environment, you essentially have to vouch for the fact that you’ve partnered with organizations which can handle the information in a secure fashion, consistent with regulation.” David Kent, Vice President, Global Risk and Business Resources, Genzyme
Compliance isn’t cheap. The report notes that in this new era of compliance, costs are sure to rise. In a recent survey, 55 percent of IT and security executives indicated that regulatory compliance costs accounted for moderate to significant increases in their overall information security costs. As the compliance landscape gets more complex, demonstrating compliance gets more time consuming and costly. Enterprises must constantly update their compliance programs to account for new requirements.
“Heightened scrutiny of other people and by other people is going to cost you. Besides regulators, customers or partners who are working with you are going to demand more of you. That’s going to add cost.” Stewart Room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP.
The council report offers some “how to” recommendations to help organizations to align their programs to the heightened demands of today’s compliance landscape and prepare for tomorrow.
1.) Embrace Risk-Based Compliance: Build an effective enterprise program that provides everyone in the chain – from individual business process owners to the board of directors – with all of the multi-faceted information needed to make risk decisions.
2.) Establish an Enterprise Controls Framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.
3.) Set/Adjust Your Threshold for Controls: Determine the "right" level of security controls and gauge the prevailing industry standard to meet the legal requirement for "reasonable and appropriate" security measures.
4.) Streamline and Automate Compliance Processes: Establish an Enterprise Governance, Risk and Compliance (eGRC) strategy that consolidates all of the information necessary from across the organization to manage risk and compliance and provide visibility into controls.
5.) Fortify Third-Party Risk Management: Move away from "boilerplate" security agreements and toward comprehensive third-party strategies that focus on: diversification, due diligence, rigorous contractual requirements, consequence management and governance.
6.) Unify the Compliance and Business Agendas: "Operationalize" compliance and develop the organizational structure required to fully embed compliance into the business and align it with the organization's highest-priority goals.
7.) Educate and Influence Regulators and Standards Bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules that will cripple business.
The council was keen to point out that there is still a missing link - Though business innovation is powered by information; protecting information is typically not considered strategic; even as enterprises face mounting regulatory pressures and escalating threats. In fact, information security is often an afterthought, tacked on at the end of a project or – even worse - not addressed at all. But without the right security strategy, business innovation could easily be stifled or put the organization at great risk.
The full report is available at: http://www.rsa.com/innovation/docs/CISO_RPT_1010.pdf
Organized and sponsored by RSA, the Security for Business Innovation Council is a group of fifteen security leaders who are committed to sharing their own insights, tips, lessons learned and expert advice on winning security strategies to help move information security forward at organizations worldwide.