No escape from the regulator
Nobody likes having someone looking over their shoulder and telling them how it's done, but this is the reality for CISOs in a tough regulatory environment. By Rob Buckley.
Whether they work in traditionally regulated industries such as healthcare and telecoms, or a less-regulated environment such as retail, the work of CISOs is being thrust under the spotlight and subjected to numerous requirements related to governance, risk and compliance (GRC).
While the likes of Sarbanes Oxley and the Data Protection Act have been around for years, recent additions to the list of GRC standards include the UK's Good Practice Guide 13 and Bribery Act, and the US's whistleblowing legislation the Dodd-Frank Act. There are, in fact, too many to mention in this article, even if we ignore individual states' breach disclosure legislation, the numerous EU directives and other country-specific laws.
This compliance burden has been increasing steadily over the past decade or more, but only recently has it been taken seriously by many organisations, thanks in part to fines imposed and action taken by the regulators. “There are now serious implications of not taking appropriate actions,” says Jeff Schmidt, executive global head of business continuity, security and governance at BT Global Services. “The CFO and CEO can go to jail now.”
Martin Landless, technical director, international at LogRhythm, explains: “There's now a definite push to adopt compliance regulations. It used to be enough to say you were working towards compliance. It was like a ‘get out of jail free' card, but that's not satisfactory any more.”
The PCI DSS rules, once easy to avoid, particularly for small companies, through either self-assessment or using the excuse above, are now being enforced; other agencies, including the Information Commissioner's Office, are also looking to make examples of companies in breach of regulations.
Most compliance legislation, however, doesn't involve harsh penalties – and for many companies, particularly those in the financial services and defence sectors, the fines that do exist are not large enough to worry them. Of more concern are the reputational issues.
“The media is making organisations sit up and pay attention. That exposure is more crucial than financial penalties,” says Martin Knapp, managing director of Mycroft Talisen, which provides cyber security and IT governance services to the defence and aerospace industries. For defence companies in particular, not being able to secure their own systems reflects badly on their products.
Small and medium-sized businesses can't escape GRC either. While there's no legislation that targets SMEs specifically, more of them are being scrutinised by the banks, which are in turn being put under pressure by credit card issuers to ensure corporate customers are PCI DSS compliant. Neither does their size make them immune to the Data Protection Act and data loss issues, because although the under-resourced Information Commissioner's Office has mostly been targeting larger organisations, SMEs face mounting pressure from customers and suppliers to show compliance.
“It's not just your infrastructure you have to worry about but that of anyone you do business with,” says Frank Kenney, vice president of global strategy at Ipswitch File Transfer.
However, GRC is also being seen in a positive light – as a way of marketing companies' trustworthiness. Matthew Tomlinson, director at SecureData, reports that budgets are being allocated to GRC projects for this reason. “It's being seen as a business enabler. Internet-facing businesses are advertising their PCI DSS compliance or their adoption of ISO 27001 and so on to show consumers and partners that they can be trusted with data.”
While most CISOs know about the high-profile pieces of compliance legislation, there are bound to be gaps in their knowledge.
Recommind's senior corporate counsel, Howard Sklar, claims that 20 per cent of chief information security officers have not heard of the UK Bribery Act, despite risk manager Willis recently being slapped with a £7 million fine from the Financial Services Authority.
Jonathan Preston, who works in Hitachi Data Systems' information management division, says many CISOs in multinationals are struggling to deal with all the compliance regulations that apply in different countries. Michele Zoerb, director of information security at 41st Parameter, which trades in the US and the UK, had to undertake considerable research when implementing compliance measures in the company's various offices – and ended up drawing up a grid of what was mandatory, what was voluntary, the fines involved, and what could legally be imposed, for each territory.
Awareness is just the beginning, of course. “Generally, people know what they're required to do and how to demonstrate they're doing it. Where they struggle is knowing how to do it,” says Simon Marvell, a partner at Acuity Risk Management.
Reading the regulations themselves isn't always a help. “I wouldn't advise reading the first few pages of PCI DSS unless you're a major insomnia sufferer,” says SecureData's Tomlinson. “It appears onerous, it's full of government speak, everything's bad and the sky is falling in.”
Relying on trusted partners for help isn't always a good idea either, says Ash Patel, country manager for the UK and Ireland at Stonesoft. “All of us ultimately have the goal of selling products. You need to go to an independent organisation [for impartial advice], but again you need to be careful you don't end up with an unnecessary consultant,” he explains.
Patel adds that while larger outfits are typically well-versed in compliance requirements, SMEs tend to know only “what an IT salesperson has told them”.
To keep within budgets and reduce complexity – as well as prevent the pre-audit rush to update compliance – CISOs are now looking at more generic frameworks that they can adapt to their own needs. 41st Parameter's Zoerb says aiming for ISO 27001 compliance, on which PCI DSS is largely based, is effectively future-proofing the company against big adjustments for further compliance legislation.
Garry Sidaway, director of security strategy at Integralis, says: “Organisations are trying to stay agile and reuse policies, to make sure they are reusing good project governance.”
It's this kind of approach that is likely to pay dividends in the long run. While it might be tempting to stick to a spreadsheet of practices, now is the time for those who have somehow escaped GRC to look at a framework for the future, not just to avoid the stick of fines and breach notifications, but to achieve better working practices and improved partner and customer relationships.
Trends in GRC systems
It's often unclear exactly what is a GRC product and what isn't. At the very least, GRC systems worthy of the name should offer audit, compliance, risk and policy management and be able to do at least some of the following functions: automate workflow management, produce audit trails, mask data and encrypt it, continuously monitor systems, offer flexible automated reporting, segregate duties, escalate status alerts and except certain kinds of alerts.
Gartner has noted market consolidation, with larger vendors becoming dominant through acquisition – IBM acquiring OpenPages, EMC-RSA acquiring Archer, BPS and Resolver merging to form BPS Resolver, Thomson Reuters acquiring Paisley, Software AG acquiring IDS Scheer, SoftPro Systems acquiring Cura, and Wolters Kluwer acquiring Axentis. As a result, the leading platforms, according to Gartner, are BWise, MetricStream GRC, IBM's OpenPages, Oracle GRC Suite, SAP BusinessObjects GRC and Thomson Reuters' Enterprise GRC. Other products worth watching include EMC-RSA's Archer eGRC, Enablon, Software AG's ARIS, SAS Enterprise GRC, Mega Suite, SoftPro Systems' Cura Enterprise, Jade's Enterprise Risk Assessor Kairos and Active Risk Manager.
With the market still in its relative infancy, however, the turmoil in compliance means that systems aren't yet close to being the magic bullets that buyers might wish for. Gartner says: “Customers are looking for vendors not just to provide content for standards, regulations and policies, but also to keep the content updated, manage content licences, provide alerts when a new regulation or change to a regulation emerges, and provide analysis and policy changes based on the impact of the change. No vendor is fully addressing this, although the major regulatory content publishers (such as Thomson Reuters and Wolters Kluwer) have some solutions for the financial services sector.”
Case study: The Share Centre
For stockbroker The Share Centre, compliance has always been an issue, but increasingly so in recent years. “Compliance has been very visible within the organisation, with regular training in money laundering, data security and anti-bribery legislation,” says Giles Roberts, IT infrastructure manager. He adds that “we get audited a lot more than we used to and third parties have been asking us for documentary proof of compliance. It's been a big change”.
PCI compliance in particular compelled the company to examine its procedures, in part because its bank, urged in turn by the credit card issuers, asked it to. Roberts explains: “First, I did research into what the requirements were. I did a one-day introductory PCI DSS course and bought books. Then I developed a project plan and worked out what needed to be achieved with the IT infrastructure team. There was some involvement from the compliance department around education as well. Then I costed it and talked with the board about the procedures, since the IT push needed to come from the board.”
Roberts is grateful that the board had the foresight to back the project. “They said, ‘If that's what it costs, that's what it costs. If you need to spend an extra £50,000 to do it, then do it'.” Nevertheless, there were “uncomfortable decisions” to be made. The group developing the company's core applications potentially had too much access to sensitive information, for example. Roberts eventually spent half of his time creating policies, and the other half dealing with the technological considerations.
Data Protection Act compliance meant the company had already implemented a data loss prevention strategy, including encrypting laptops and portable drives, a ban on USB devices, and monitoring of and restrictions on web browsing. As a result, most of the changes for PCI compliance were to do with shoring up perimeter security and investing in automation.
“The biggest investment was a log manager from LogRhythm, which saved us a lot of management costs: security events were a major area for automation,” says Roberts. “But we also updated our firewalls, installed web application firewalls and isolated card data. Now only three of us can get onto the machine with this data.”
The project took nine months to complete and cost £70,000. Maintenance charges on the new systems have come in at 15 to 20 per cent through three-year deals, for roughly a £10,000 annual bill on top of that initial outlay, Roberts reveals. In terms of manpower, compliance administration means that Roberts has effectively lost nearly one person from his team in extra hours.
Roberts' recommendation is to get buy-in from the board for any compliance project. “That's absolutely crucial. And don't believe what the vendors or anyone else says.”