- For all the emphasis on industry security standards and regulatory compliance, businesses too often miss the mark
- For those that do not achieve compliance, security breaches are all too common
Nothing drives enterprise security spending quite like compliance. Angst over meeting or missing a mandate strikes fear in the hearts of CIOs and IT security directors everywhere. As a result, it is not at all unusual for a company to map its security priorities to government standards such as those laid out in the Federal Information Security Management Act (FISMA) or industry specifications such as the healthcare-focused Health Insurance Portability and Accountability Act (HIPAA) specification and the Health Information Trust Alliance (HITRUST) framework.
Typically, we think of organizations in heavily regulated and often deep-pocketed industries such as financial services as being especially adept at mapping out the kind of sophisticated security strategy that will keep threats at bay. Unfortunately, the truth may actually run counter to this. Verizon’s 2011 Payment Card Industry (PCI) Compliance Report, issued this week, found that only 21% of the 100 organizations surveyed were in full compliance with the payment card mandate after their initial assessment. It is also worth noting that this 21% did not exactly hit it out of the ball park either, passing an average of 78% of all the required tests.
Falling short of the PCI specification in particular can be costly for an organization. Verizon correlated the findings of its PCI study with its Investigative Response (IR) team’s annual breach report and found that businesses which failed to achieve compliance were far more likely to suffer a breach.
This sounds logical; after all, specifications such as PCI offer often good and sometimes even excellent guidance on what elements should be part of a business’s security strategy. However, simply achieving compliance once is not a lifelong guarantee of protection. Anecdotal evidence shows compliant organizations fall short in subsequent efforts, most likely due to developing a lackadaisical approach borne of overconfidence or the belief that it is ‘one and done.’ Instead, companies need to approach security as an ongoing process. This means designing security policies that take into account everything from the structure of the organization (distributed or centralized) to the level of sensitivity/confidentiality of the data handled every day in the business and then taking the appropriate measures to protect corporate assets.
What challenges has your organization faced in achieving compliance? Do you think the existing industry security standards and government regulations are more of a help or a hindrance? Do you see a direct association between compliance and the success of your security strategy?