Compliance complacency

Opinion by Shirief Nossier

We all know that there is a minefield of governance, risk and compliance (GRC) regulations that companies must adhere to.

We all know that there is a minefield of governance, risk and compliance (GRC) regulations that companies must adhere to.

From the payment card industry data security standard (PCI-DSS), ISO 27000 series and COBIT, to the Financial Services Authority (FSA) and European Union data protection laws – the list goes on. All these rules are there to keep a check on situations such as data breaches, mergers and acquisitions and insider trading and so forth.

These regulations have brought high-level attention over recent years, and while they have led to new challenges for adequately securing an organisation, they have also been a driver for the advancement of business information security.

There are numerous contributory factors that can derail a company's efforts to stay compliant and lead it to become compliance-complacent. The most common factors boil down to a lack of understanding of: how to rationalise the different regulation requirements; the true cost of compliance (that is, as opposed to non-compliance); and the benefits of compliance beyond just avoiding fines and penalties.

On the subject of cost of compliance vs. non-compliance, either way it can quickly become expensive. The Ponemon Institute released the results of an interesting survey on ‘The True Cost of Compliance' where they interviewed more than 160 leaders in major corporations to understand the exact costs of their compliance efforts, or the costs they faced for non-compliance.

The research captured information about direct and indirect costs associated with compliance activities during a 12 month period. The results were compelling, as the average cost of compliance was £2.2m, the average cost per employee was £140 and the area of greatest compliance cost were data protection and enforcement.

Further results from the study show that when you consider that the average company must comply with 45 different regulations, and heavy fines can be imposed depending on the severity of the misconduct, the average cost for non-compliance was £6m, or £520 per employee. It said the cost for non-compliance was 2.65 times the cost of compliance for these organisations.

If we just take a look at one of the main regulations, Sarbanes-Oxley: approximately half of mid-sized companies spend from £63,000 to £315,000 per year on this, with 70 per cent spending up to £630,000. It is perhaps not surprising that there is a tendency to be reticence about compliance.

However, it is not simply a case of calculating that paying a fine is cheaper than the process of compliance. Organisations need to think of compliance as an insurance policy – one that eliminates unforeseen costs while protecting business value.

Stock-market value reduction, the detriment to a company's brand reputation and potential loss of customers and intellectual property are all costly factors that can be eliminated if complacency is avoided.

So what does complacency mean from a security perspective? Globally, many companies have experienced a data breach of some kind and, of those breached, a high percentage lost revenues and customers as a result. Security is essential to the protection of a business's critical systems and information from unauthorised access and use as well as data leakage. It is an organisation's fundamental responsibility to take a more strategic approach to compliance.

The most effective way of reducing the compliance burden is to introduce risk assessment (that is, give higher priority to the compliance requirements that will mitigate the highest risk in your business) and rationalisation of controls for multiple regulations (rather than treating each regulation in isolation).

To enforce and automate these controls, turnkey solutions are available that will help an organisation to protect and monitor their critical digital assets and to understand who is using them and how.

This could be from understanding what is the role of an employee in your organisation and what information he/she is entitled to access and how they are be able to use it, through to analysing the behaviour of your users and evaluating the risk of their actions, and reporting processes on potential compliance risks and breaches. Can you really afford to be complacent?

Top ten tips on compliance:

1 - Assign who will lead you compliance efforts. Either use resources from inside your business or, if you don't have in-house expertise, then bring in a consultancy to help.

2 - Identify the various regulations that your business is governed by and understand the essential compliance requirements that make up these regulations. For organisations with international presence, you need to consider that each country might have its own local requirements. Concurrently, you need to work with the risk management team to find out your business risks and their priorities.

3 - Rationalise the compliance requirements of all your regulations as well as your internal policies and boil them down to a single set. Also identify any risks that are not sufficiently addressed and define the necessary compliance requirements to tackle the gaps; and highlight which compliance requirements will mitigate the highest risks in your business, and give special attention to addressing them.

4 - Figure out the policies and controls that need to be enforced to meet your compliance requirements; you'll find that it's an iterative process. Give special attention to the requirements linked to your highest risks.

5 - Understand the deadlines/timelines to compliance issues. Ensure that you plan and scope for phased projects that deliver, from a risk perspective, quick and measurable results in each phase.

6 - Invest in policy-based technologies that help you with automating your compliance controls and processes and monitoring their effectiveness – particularly the audit process, as it provides quick and high return on investment.

7 - Ensure information security awareness through educating and training your employees. You need to remember that hackers today use social engineering to compromise defences.

8 - Some compliance requirements are behavioural, not technological. Data-loss prevention technologies are ideal for educating users and driving their behaviour on how to best protect data while using it.

9 - Budget accordingly to ensure you achieve your objectives and do not run out of funding before demonstrating value. Also ensure board-level buy-in and maintain their attention by demonstrating ongoing value.

10 – Remember that compliance is an ongoing process, not a one-off effort.

Shirief Nossier is EMEA product marketing director for security management solutions at CA Technologies


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events