Compliance is a worthy adversary, and as I witness every day, it is a substantial burden for many organizations. As a security consultant, my focus is information security with specialties in network controls and data monitoring—think firewall, SIEM, and those kinds of things. Because these controls tie into many compliance standards, I must be aware of many different issues that tend to organically translate into advice and consultation in my daily professional life.
The reality is that compliance is hard. Many different governing bodies and there is no single answer as a lot of standards must be interpreted based on the specific business in question. As the IT world grows, so does its compliance burdens. Standards like HIPAA, PCI, GLBA, and other regulatory constructs are challenging for small- and medium-sized businesses (SMB) because they do not generate revenue. Instead, they create a cost center and therefore are under constant budget pressures. The language of compliance is broad, confusing, stressful, and unrelenting. So, it’s easy to see how a checkbox compliance mindset grows from these stressors.
While compliance issues are demanding, venders don’t always help. Common marketing materials cover as many compliance areas as possible to lure you into buying their products or services. Too often, a lot of promises are made, and contracts are signed only to find out that the solution deployed will not entirely fill your needs. The shortfall likely forces you to buy other components from other vendors in an attempt to piece together a full solution set.
Products and solutions from multiple vendors overlay and can quickly get out of hand leading to costly and time-consuming maintenance, poorly integrated solutions, and other points of stress. This checkbox compliance approach often winds up being as expensive as slowing down and taking a more focused approach.
Enterprise businesses have teams that focus on business audits and are better staffed to handle these burdens, but SMBs do not always have this luxury. But, while compliance is hard, it is not impossible. Laying the foundation is essential, and as you build your infosec program, data and risk should be central areas of focus. Data is the foundation of compliance and understanding where your data lives, where it transports, and who can access it, is paramount to defining every policy and component of your program. Risk tells you where to focus your efforts and allows you to understand where controls should be placed and introduced into an estate.
As escalating compliance demands become the norm, SMBs are faced with the possibility of more substantial fines penalties than ever before. And, because audit management is not the focus of most SMBs, getting ready for audit is often like a new, inefficient process every time. However, a focused approach, rather than a checkbox compliance mindset, allows businesses to develop better processes, define effective scopes, and build repeatable procedures. As compliance approaches are being developed within your company, the following are some tips:
- Risk assessments are our friends, serve to guide our focus, and are the first steps to building a proper compliance and information security program. IT is a cost center and explaining the price of risk helps executives to understand the importance of the funding of these programs.
- You will need multiple vendors, but choose based on your scope, not based on compliance in general.
- Understand your data, both at rest and in transport.
- Keep audits focused, and don’t try to solve for every burden—the best way to attack compliance challenges is to stay focused.
- Understand that ignorance is not a defense that works within today’s environment. Claiming ignorance doesn’t work, but an understanding of reasonable effort is always in play. We all know you do not put a million-dollar fence around a ten-dollar horse, but we must protect our customers and our employees.
Compliance can be achieved and maintained if you build the right program. Finding that magical program or solution is not what helps your business, but creating focus allows you to avoid feeling like it is day one again at audit time.