Compliance should be triggered by good security rather than an auditors' visit, says Jen Mack.
The rising tide of regulation in business has been good news for the information security industry. Companies have thrown money at security purchases in the hope that it will help their compliance efforts. But many businesses have spent unwisely and failed to make any real impact on the underlying security of their organisations.
What do companies actually get out of the process? Does this way of thinking help IT managers understand the level of risk to the business? Is security investment aligned to that level of risk? In many cases, the answer is no. It is just a tick in the box that sends the auditor away happy for another year.
If enterprises see compliance and adherence to some theoretical best practice as a goal in itself, they are missing the point.
Information security should be regarded as an integral part of the way a company does business. Compliance should be a natural by-product of good security practices. The box-ticking approach to compliance just encourages everyone to relax once the inspection is over.
One symptom of this approach is a blind belief that buying more security products will solve the problem, encouraged by vendors who promise to make companies "compliant" overnight by adding more levels of security to their IT infrastructure. This may give the illusion of security, but in many cases it has made companies less effective at actually stopping security incidents.
Real best practice requires user education and awareness, as well as sound security policies. For example, no intrusion detection system will stop a poorly trained user from opening a dodgy email attachment. You also need firm leadership from the top and ensure proper understanding and management of risk at all levels of the organisation.
The challenge for an organisation is to gather risk information right across the board - including at the operational, strategic and business levels.
Once you have done that, you can start focusing your efforts where they are actually needed. For instance, by analysing previous security events, you can determine where threats came from and how often. You may find that updating your anti-virus signatures could be done less frequently, for example, saving time and resources, with no impact to risk.
A well-managed security programme will monitor the risk profile of the company, and of key business partners, on an ongoing basis. But the appetite for risk will always be set by senior management.
It is all a question of assessing the threat and vulnerability, before putting a cost to it. How much are these worth to your business? If you routinely pass sensitive intelligence data to the Ministry of Defence, they'll naturally be worth a lot more than if you design toilet seats for a living.
This is basic security practice, but so often forgotten in the rush to be compliant. Why is this? The problem for many companies is that security has traditionally been viewed as an add-on rather than something integral. Attention and budget was focused as a reaction to changes in IT infrastructure, such as wireless networks. And then only as part of the overall IT budget. In many cases it only gained board-level attention because of compliance concerns and increased understanding of information risk management as a discipline.
This approach also requires buy-in from all parts of the organisation. For some senior executives, it may be the first time they have given serious thought to their attitude to risk. But the effort can pay real dividends. It will improve the way the company operates, keep risk within manageable levels and will reduce the cost of compliance.
Appropriate security needs to be in the bloodstream of the company. Which means it must be aligned with business goals, objectives and strategies. It must be based on an appropriate risk analysis and then communicated, understood and valued by everyone from the CEO downwards. Security is for life, not just something to impress the auditors.