Forward-thinking Companies are Avoiding Checkbox Compliance and Fire-drill Responses to Security Incidents in Favor of Sustained, Continuous, and Auditable Risk Management and Compliance Initiatives. But there’s Still Work to be Done.
Risk and compliance. They go together like peanut butter and jelly, Harley and Davidson, Charlie Sheen and bad decisions. Er… In other (fancier) words, the two are inextricably interrelated. However, I’ll do my best to pull them apart enough to talk about them somewhat separately. Well, I should say “we.” Here, in this article, I will focus on the current state of compliance in the enterprise.
Threats Driving the Need for Compliance
It seems everyone is after corporate data today: cyberthugs, morally corrupt competitors, and even rogue nations seeking cutting-edge intellectual property or state secrets. In addition to external threats, corporations also face insider sabotage, identity fraud, and unauthorized access to systems and networks. And every day, these threats grow in number and sophistication.
This situation puts organizations under incredible pressure to protect customer information and privacy as well as their own sensitive business information—and be able to prove it to auditors. That pressure is only growing, as governments and industries ratchet up their compliance regulations. For example, after the recent economic meltdown because of financial mismanagement, companies now face an aggressive regulatory environment and skyrocketing penalties for violating mandates.
Maintaining strict levels of security and compliance—all the while trying to conduct business—can be a time-consuming and error-prone task for most companies. Integrated risk and compliance products promise to help organizations coordinate and automate the entire security and compliance process, freeing them to focus on their core business. So are they helping?
At McAfee, we were interested in learning about the factors that consumers of risk and compliance products face in 2011. So we commissioned Evalueserve to perform an independent study. The study, titled Risk and Compliance Outlook 2011, surveyed 353 IT decision-makers, consultants and security analysts to gain their views regarding the challenges of risk and compliance management in a highly regulated and increasingly complex global business environment.
Challenges in Meeting Compliance Mandates
Among the challenges noted in the survey, the top three were: keeping IT systems compliant, automating IT controls, and understanding the compliance regulations themselves—especially when multiple regulations need to be simultaneously addressed. Multiple regulations within each national jurisdiction and the fact that regulations vary from country to country only serve to complicate matters for respondents.
What’s working here
Through the study, we learned that companies recognize the need to improve policy compliance through more integration and automation of IT controls. While not eliminating the need for human participation, automated risk and compliance tools and standardized security suites are beneficial. They enable skilled professionals to quickly understand regulations, focus on informed decision-making rather than on slow and error-prone manual information gathering, and manage regulations using a common set of processes and data—reducing the burden of compliance assessments.
Technically Speaking, Database Security Remains a Challenge
When asked purely in terms of technology, respondents ranked protecting databases as their biggest infrastructure challenge in complying with regulatory mandates. Network defense mandates ranked second. And application security was listed third.
These results weren’t surprising. In recent years, database security has come under increased regulatory scrutiny. The focus has largely been on privileged user accounts, access control, and activity monitoring against established “normal” usage baselines. Such emphasis is understandable when you consider that approximately six out of every 10 companies surveyed said that they track the type of changes that occur, but less than half of them also track who made the change and from where.
According to the survey, “The failure to track individuals leaves a significant gap in accountability, either for failure to perform their duties properly or, in the worst case, making it more difficult to track down a malicious insider.”
Findings from a 2010 Verizon Business Study showed that more than 92 percent of records breached involved a database. This trend needs to improve, as customers store their most critical and sensitive data in databases. For many organizations, that data is their lifeblood–any loss, interruption, or security breach would mean disaster.
What’s working here
To meet their database security requirements and handle change management issues, 75 percent of the responding companies currently deploy configuration assessment tools. This is followed closely by file integrity monitoring and database activity monitoring products—both at 68 percent. However, a whopping 93 percent of respondents indicated that they were currently deploying or were expecting to deploy database activity monitoring (DAM) tools in the near future.
Strong change control monitoring, enforcement, and reporting are essential to effectively implementing and maintaining a risk management and compliance program on an enterprise scale.
“When in Doubt, Patch” Isn’t the Answer
System patching remains the core remediation function in IT security. Generally, IT decision-makers are confident in their abilities to patch security flaws. However, they tend to invest tremendous numbers of work hours into the patching process, and out-of-cycle patches significantly disrupt their operations when they occur. The survey also showed that 82 percent of respondents feel that out-of-cycle patches significantly impact productivity.
One problem facing organizations today is determining which systems actually need to be remediated. As a result, 44 percent of surveyed companies said that they overprotect by patching everything possible. “When in doubt, patch” is clearly not a good way to reduce patching time. Asset discovery, vulnerability detection, and risk assessment can help IT staff identify systems requiring remediation, prioritize patching, and avoid or at least delay non-critical patches.
What’s working here
Compliance products are helping organizations streamline their patch management programs by automating the discovery of vulnerable systems, remediation and verification of patch operations, and auditing and reporting tasks. Study estimates revealed that an average of 12 work-hours could also be saved per week if patching frequency is reduced from weekly to monthly.
Those Dreaded Audits
“Dreaded” might be too strong a word. Then again, depending on the company, it might be spot-on accurate. In the study, 75 percent of companies were confident they would pass a regulatory audit. That’s encouraging news. However, more than half also said that they had already failed an audit, with nine percent reporting that their audit failures had resulted in fines.
Another area of concern was that four out of 10 companies jump into firefighting mode with an “all hands on deck” approach when approaching an audit. Auditors’ requests for additional evidence often result in an enormous expenditure of time and effort producing logs and reports in a repeating cycle of redundant effort for each audit. Worse still, companies often can’t prove their case because they can’t produce the requisite evidence.
What’s working here
Only a quarter of surveyed companies claimed that they don’t worry about audits. This attitude indicates that they feel they are not only compliant but also well-prepared when it comes time to prove it.
Risk and compliance tools are helping companies execute successful audits. That’s because these tools support IT security controls through automated analysis, monitoring, enforcement and verification, centralized management, and on-demand reporting. The ability to quickly produce forensic evidence from common data sets to meet various regulatory requirements and internal policies greatly reduces the resources that need to be committed to compliance efforts.
A Growing Market for Integrated Solutions
Investment in compliance products is strong—and will continue to grow—particularly in the areas of change assessment, file integrity monitoring, and database activity monitoring. In fact, nearly half of all surveyed companies plan to spend an average of 21 percent more in 2011 on risk and compliance solutions, with the majority of CSOs and other decision-makers demanding integrated, automated solutions rather than point products. Security information and event management (SIEM) looks to be the highest gainer for 2011.
The Long and Short of It
Overall, the Risk and Compliance Outlook 2011 report suggests that forward-thinking companies are avoiding checkbox compliance and fire-drill responses to security incidents in favor of sustained, continuous, and auditable risk management and compliance initiatives that address IT security as a business risk. And that’s promising news. However, as we’ve seen, there’s still work to be done.
Read More in SecurityWeek’s Compliance Section