In recent years many organizations have become subject to one or more regulatory compliance regulations. But despite an explosion of compliance initiatives, data breaches and other security incidents remain a constant threat to IT departments. That’s because there’s more to achieving real security than completing an auditor survey and marking a few check boxes. Rather, true security requires continuous measurement and correction in the face of the kinds of unrelenting threats that compliance rules simply fail to anticipate.
Sarbanes-Oxley (SOX) still represents a major stumbling block for companies below the $100m revenue level. In some cases the costs and complexity of regulatory compliance cause growing organizations to defer entry into the public securities markets, slowing growth in our economy. For those companies that go public the burden of compliance can divert a substantial portion of operating revenues into non-productive uses – as much as 10% of gross revenue in some cases.
As for PCI-DSS compliance, many organizations are discovering that meeting these mandates does not necessarily provide security against attackers or even protection against fines by credit card issuers. The highly-publicized case of Heartland Payment Systems is just one example. The company was PCI compliant, suffered a criminal data breach, and was slapped with substantial penalty fees. Instances like this should strike fear in any company that accepts credit cards.
A similar concern is recent federal legislation that creates even greater liabilities for companies when personal identification information is disclosed, irrespective of culpability. The fact that there are no federal “Safe Harbor” rules nor any specific guidance on how to mitigate liability ought to keep IT security personnel and corporate executives up at night.
We still see too many IT auditors – ostensibly the trusted individuals charged with understanding security best practices and providing corporate guidance – who take the easy route and accept any answers given by an IT department. A dangerous “point in time” mindset is particularly epidemic in the PCI-DSS certification realm, where compliance is simply checked off once a year.
Corporate executives also share blame when they operate on a principle that an organization can afford to address vulnerabilities only after being fined or embarrassed by news reports of a security breach. Just as memories fade in time, the commitment to security fades quickly when breaches blow over and everyone moves on.
Once an executive team recognizes that compliance alone does not equal security, an organization is poised to save money, safeguard its reputation, and protect itself from the likes of criminals, credit card issuers and government regulators.