Published on in Cyber Security
sian

Sian John, Security Strategist at Symantec, explains more about how effective IT security compliance must support ongoing business success.  Read more from Sian on LinkedIn.

For more information on Security, visit our business insights page.

Simply put, compliance standards or regulations are brought in when markets fail.

If we look at IT compliance, the Payment Card Industry Data Security Standard (PCI) was introduced because Visa and Mastercard had experienced fraud but merchants were not taking the appropriate precautions.

While some businesses do need the ‘stick’ approach, most prefer the ‘carrot’. They don’t want to spend money just to be compliant, they want to spend money to do a good job.

The problem comes from the fact that the stick is not big enough. Fines are too small and some regulation is not written well. Add to this the view that too many businesses are obsessed with ticking boxes rather than thinking about the outcome and you find that few organisations actually make compliance work in their favour.

To address compliance properly organisations need to consider investment versus risk:

  • Recognise that compliance is just there to make sure you are doing a good job
  • So look at what your’re trying to achieve – keeping yourself secure
  • Avoid the metric temptation – i.e. go beyond the basics

The advantage lies in being aware of what you need to secure. Once you know what your exposures are then you need to know where your assets are and generate the evidence. With the information to hand you can map it against your policy.

Doing this manually can take forever, so consider using tools to automate the task. You can save a lot of money by checking once and reporting many. In our experience, you can save 100s of hours.

Recently we undertook a survey and found out that:

With many IT security leaders at a crossroads of new regulations, business drivers, an evolving threat landscape and a staggering array of technology, success will come from their ability to change roles.

Since security and risk management have become boardroom discussions, the former technical expert must now become a key business risk advisor.

All views expressed are the author’s own.

(Visited 404 times, 1 visits today)
Tags -

Leave a Reply

Your email address will not be published.