What can we say about regulatory compliance? The heyday is over. However, the hangover still lingers.
Most IT professionals now notice that the big incremental spending on security systems and consultants to comply with government regulations and industry rules is behind us. The hype is over. Compliance activities have largely become “baked in” as routine business processes, while employee policies have been re-written to incorporate compliance best practices, which means discretionary spending on compliance is rare.
Senior executive leadership assumes that after years of funding and attention, they can put the compliance fear out of their minds. That box is checked. They assume that automated compliance management and a new environment of checks and balances should keep the organization “in compliance” and out of trouble.
Although mostly part of the business fabric, compliance activities still consume an inordinate amount of time for IT managers and staff. In particular, most IT security professionals now view compliance as general distraction to doing their jobs, and, at times, at odds with the overall mission of maintaining a strong security posture.
“We’ve really been saddled with an entirely new responsibility to go along with our day jobs,” noted one security engineer at a recent industry Forum. “Signing off on compliance and managing the auditors was never part of the job when I took it – it’s a new world for sure.”
Secondarily, with the frothy cottage industry of consultants and vendors that has grown up to meet the compliance hype, IT leaders are wary of additional spending, and most are searching for ways to achieve the same results with less. Signals from the boardroom suggest it is time to get back to thinking about how IT can accelerate the business, rather than keep it safe from lawsuits and government fines.
Moreover, there is the rub. Management believes ‘compliance’ as a whole is behind us. However, compliance monitoring is now a part of every IT professional’s job. Now more and more IT professionals are letting this new responsibility dominate their time.
Outlined below are a few of the compliance-related activities that notoriously distract IT professionals away from the essential craft of IT management.
- Trying to figure out exactly what rule makers’ original intention was. Complying with federal and state regulations (SARBOX, GLBA, and HIPAA) was hard enough for IT teams. Now, industry rules like PCI and FFIEC continue to cause practitioners to ask, “What’s this all for?” Since no two networks are the same, compliance with any standard eventually involves significant interpretation. Interpretation leads to long discussions (and eventually guessing) about what rule makers originally intended. For most, the hardest debates are those that put the interest of the enterprise at odds with those of the rule makers. Once IT security teams conclude they need to make significant changes to their existing infrastructures, they commonly wonder, “Who are we doing this for…them or us?”
Advice: The truth is that in time of crisis, when an organization is questioned about compliance with a regulation or rule, “best efforts” is turning out to be sufficient. Pick an interpretation that is right for your organization first, and meets an obtuse standard second. Limit the time you spend thinking about how well a new architecture, or new piece of software works to meet a compliance requirement. It may be the right choice, but spending too much time trying to get inside the head of the authors is fruitless. - Planning for unintended consequences. After years of spending on compliance software and consulting, most CIOs can tell management with conviction that the enterprise is “in compliance.” CISOs and their teams, however, are noting that the enterprise’s security posture is no better, and in many cases, it is worse. Why? Compliant networks have likely been re-segmented, causing new security concerns as data takes new paths. Employees may feel hamstrung by new policies they are subject to, and just work around them. Storing company data in personal accounts in order to work outside the office is a prime example.
Advice: Remember to go back and look at all the changes recently made to the IT infrastructure (network architecture in particular) in the context of how the network supports the business, rather than how it meets compliance. Most IT staffers have a keen sense of when they have “tightened” the network too much, because they hear from the business managers. However, a slightly out of compliance network that serves the business is better than a fully compliant network that brings the business to a halt. - Managing the army of auditors. A common complaint from security professionals burdened with the time-consuming task of running audits required by new rules and regulations is, “I’m spending 80 percent of my time these days with the auditors, not securing my enterprise.” The sad part is that most audits are now conducted to satisfy rules rather than check the resiliency and security posture of an enterprise. We are measuring the wrong things.
Advice: Expect and plan for the audit—it is here to stay. As backwards as many audits seem to IT professionals, they are now an unpleasant fact. You can choose to ignore them as you go about your daily IT routine, or integrate them into your thinking, which will eventually save you time and energy. Expect that most audits will focus on “compliance checklists,” rather than what you view as IT. - Monitoring CNN headlines rather than bugtracker. It used to be that changes in the threat landscape were the security team’s primary early-warning system of impending doom. Today, news media headlines are as feared as the next zero-day attack, and security teams have had to adjust to take this new channel in. The litany of public data disclosures and the fear of regulatory fines and class-action lawsuits now often drive workload, budget allocations, and overall technical strategy. Is the tail wagging the dog? You bet.
Advice: As with auditors, headlines driving actions is here to stay. Therefore, embrace the change and adapt your activities. Keeping a real-time news feed at the ready is a very common practice among IT professionals these days, and many are even starting to read business publications like BusinessWeek and Harvard Business Review. Read what the CIO reads, but do not forget about the CEO. - Compliance perfection. The final distraction comes with the assumption by non-technical managers that lots of expenditure and a passed audit mean “100 percent compliance.” CEOs and CFOs tend to view compliance spending and activities like insurance: once we have spent the dough, we are protected, right? Security practitioners are in a tough spot.
Advice: Tell management the truth that no amount of money can buy 100 percent compliance and risk your job, or tell them what they want to hear and hope for the best. There are always the auditors to fall back on.
Most conversations on compliance eventually come around to the same premise: do not confuse full compliance with robust security. One does not beget the next, and at times changes called for by compliance rules can have a detrimental effect on an enterprise’s overall security posture.
IT security professionals take the job of defending their enterprises from known and unknown threats very seriously. However, for many IT professionals, the biggest internal threat is the excessive time wasted tracking compliance. Staying focused on what you were trained to do, and not falling prey to what is now regulatory distraction, will lead to success.
The work loads of all IT professionals have increased dramatically as the outline of the job has broadened over the past few years. Broadening responsibilities can mean opportunity for growth. Compliance now lives in IT and should be taken seriously. Striking the right balance in terms of work, and not letting compliance take a greater share of time than it should, is the key to success going forward.
Better to be a little less compliant, and a little more productive.
Jack Phillips is a co-founder and Managing Partner at IANS (http://www.ianetsec.com/). In this position, he manages all of IANS’ security vendor company relationships and moderates the organization’s executive leadership discussions among practicing information security executives. A noted speaker and writer in the area of sales and marketing within the IT security field, Mr. Phillips began his career in media and information publishing in 1994 in senior operating positions at McGraw-Hill, and then joined the founding team at Internet Securities (subsequently purchased by Euromoney in 1998). After a senior role at CCBN.com and successful sale to Thomson, Mr. Phillips launched IANS in mid-2000. Mr. Phillips is a graduate of
