It’s a tough question for many organizations – is it more important to be compliant or to prioritize energies on improving security? In theory, these initiatives should not be in conflict with one another. With the best of intentions, regulations are meant to help mandate best practices for security, something that organizations should be doing anyway. Regulations are the enforcer of those best practices. Or, they should be. CIOs have compliance at the top of their list but does that mean that the rest of the organization also prioritizes the best practices that come with being ‘in compliance’ with a particular regulation? Not necessarily. Organizations very easily lose the forest for the trees, so to speak. Forgetting that in an ideal world, security goes hand in glove with compliance. It’s not an ‘either/or’ scenario.
The reality is, companies are facing new regulations all this time. Recently New York’s Department of Financial Services published its “first-in-the nation” cybersecurity regulation designed to impose cybersecurity requirements on entities such as banks, consumer lenders, money transmitters, insurance companies and other financial service providers operating in New York. Among other things, the draft regulation requires limited access to information and systems. For example, covered entities will be required to limit access to nonpublic information solely to those persons who require such access to perform their jobs. While the rules apply only to New York at this point, it’s expected that other state and federal government entities will follow suit shortly. This regulation adds to the wave of regulations that are now starting to get some real teeth – like GDPR in the EU, which brings hefty fines and addresses the largely ignored issue of unstructured data.
Given the regulatory environment we live in today, how can IT leaders strike the balance between security and compliance?
For starters, we’re seeing this legislative trend drive organizational changes within our own customers with the emergence of positions like the chief risk officer and chief compliance officer. This is proof positive that organizations are starting to see compliance through a risk ‘lens’, helping IT to categorize risk and design controls (including identity and access controls) that appropriately address the highest areas of risk with the highest degree of oversight – and the lowest degree of oversight over the areas that represent the lowest areas of risk. This approach then arms compliance officers to work hand-in-hand with their security counterparts to demonstrate to auditors that the appropriate controls are in place to address both security and compliance.
While no one in IT can argue against the need to address compliance requirements, it’s important for companies to not lose sight of the need to effectively manage IT risk as an overriding driver for both compliance and security strategies. Unfortunately, some companies have done just the opposite: they’ve become so focused on following the letter of the law to pass IT audits that they’re spending less and less time determining their own requirements to effectively manage security risk. There are numerous cases of companies who have passed IT audits but still suffer security breaches, arguably because compliance doesn’t necessarily ensure the proper IT controls are in place to prevent theft and misuse, especially against insider threats such as employees and contractors and their access privileges. In essence, it’s not enough to be compliant. Too often, compliance simply means that an organization has convinced an auditor of due diligence in accordance with a prescribed checklist that may or may not fit the company’s particular business needs or risk profile.
At the end of the day, it’s important to remember that security and compliance are meant to work together, not one versus the other. Throwing around a term like a security ‘best practice’ to ensure compliance seems like just another buzzword, but if you pull that phrase apart, it’s pretty simple. Take the best of what you’re taught to do from a security standpoint and put it into practice. Make it sustainable and repeatable and something that everyone within the IT organization can rally around. That’s the inflection point where security and compliance come together, putting security at the center of your company’s IT infrastructure.