A Checkbox Compliance Mentality Can be Very Costly

A Checkbox compliance mentality can be very costly

Compliance is a worthy adversary, and as I witness every day, it is a substantial burden for many organizations. As a security consultant, my focus is information security with specialties in network controls and data monitoring—think firewall, SIEM, and those kinds of things. Because these controls tie into many compliance standards, I must be aware of many different issues that tend to organically translate into advice and consultation in my daily professional life.

The reality is that compliance is hard.  Many different governing bodies and there is no single answer as a lot of standards must be interpreted based on the specific business in question. As the IT world grows, so does its compliance burdens. Standards like HIPAA, PCI, GLBA, and other regulatory constructs are challenging for small- and medium-sized businesses (SMB) because they do not generate revenue. Instead, they create a cost center and therefore are under constant budget pressures. The language of compliance is broad, confusing, stressful, and unrelenting.  So, it’s easy to see how a checkbox compliance mindset grows from these stressors.

While compliance issues are demanding,  venders don’t always help. Common marketing materials cover as many compliance areas as possible to lure you into buying their products or services. Too often, a lot of promises are made, and contracts are signed only to find out that the solution deployed will not entirely fill your needs. The shortfall likely forces you to buy other components from other vendors in an attempt to piece together a full solution set.

Products and solutions from multiple vendors overlay and can quickly get out of hand leading to costly and time-consuming maintenance, poorly integrated solutions, and other points of stress. This checkbox compliance approach often winds up being as expensive as slowing down and taking a more focused approach.

Enterprise businesses have teams that focus on business audits and are better staffed to handle these burdens, but SMBs do not always have this luxury. But, while compliance is hard, it is not impossible. Laying the foundation is essential, and as you build your infosec program, data and risk should be central areas of focus. Data is the foundation of compliance and understanding where your data lives, where it transports, and who can access it, is paramount to defining every policy and component of your program. Risk tells you where to focus your efforts and allows you to understand where controls should be placed and introduced into an estate.

As escalating compliance demands become the norm, SMBs are faced with the possibility of more substantial fines penalties than ever before. And, because audit management is not the focus of most SMBs, getting ready for audit is often like a new, inefficient process every time. However, a focused approach, rather than a checkbox compliance mindset, allows businesses to develop better processes, define effective scopes, and build repeatable procedures. As compliance approaches are being developed within your company, the following are some tips:

  • Risk assessments are our friends, serve to guide our focus, and are the first steps to building a proper compliance and information security program. IT is a cost center and explaining the price of risk helps executives to understand the importance of the funding of these programs.
  • You will need multiple vendors, but choose based on your scope, not based on compliance in general.
  • Understand your data, both at rest and in transport.
  • Keep audits focused, and don’t try to solve for every burden—the best way to attack compliance challenges is to stay focused.
  • Understand that ignorance is not a defense that works within today’s environment. Claiming ignorance doesn’t work, but an understanding of reasonable effort is always in play. We all know you do not put a million-dollar fence around a ten-dollar horse, but we must protect our customers and our employees.

Compliance can be achieved and maintained if you build the right program. Finding that magical program or solution is not what helps your business, but creating focus allows you to avoid feeling like it is day one again at audit time.

Previous

Next

Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

OPTIONS:

Managed Endpoint Detection and Response

Protects against all threat vectors.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This