Demonstrating compliance with regulatory standards such as PCI-DSS, HIPAA, Sarbanes-Oxley and the like is an increasingly important responsibility assigned to IT teams in the modern enterprise. The most effective organizations approach compliance as an ongoing effort, rather than as a one-time project.
‘Continuous compliance’ has emerged as a superior approach that yields more effective results than the episodic efforts that may result in a lot of paperwork generated by highly paid consultants, but delivers dubious value to the enterprise. NIST Special Publication 800-137, for example, describes a strategy grounded in a clear understanding of organizational risk tolerance.
The Pareto Principle, which states eighty percent of the peas observed are in just twenty percent of the pods, is applicable here: the most effective strategies for compliance – as measured in terms of outcome – are not the ones that spend the most, but optimize the spending as it relates to results.
In Goldilocks and the Three Bears, Goldilocks attempts to sit in the chairs belonging to the three bears. She rejects the first one as “too high” and the second one as “too low” before finding the third one to be “just right”. As IT budgets face increasing scrutiny as a cost center, efficiency in satisfying regulations becomes important. So, how can companies get it “just right?”
One approach is to start by considering the sub-tasks involved. These can be broadly categorized, regardless of the specific regulatory standard under consideration. The average percentage spent as a proportion of the overall compliance budget, based on a benchmark study conducted independently by the Ponemon Institute, is shown in parentheses:
- Policy Making (8%): The creation and distribution of policies relating to the protection of confidential data. This is a larger effort in the first year and reduces in later years to keep up with policy updates. For example, the PCI Standards Council has issued new guidelines for those who have migrated IT assets to cloud providers.
- Communications (10%): This refers to internal communications where employees and those who have access to confidential information are trained on the specific policies and procedure for protecting it.
- Program Management (13%): The costs of having a leader in charge of the effort to oversee that the tasks are satisfactorily completed.
- Data Security Technology (29%): By far the most expensive component of a compliance program is the acquisition and implementation of software, hardware and services to implement controls. These usually include authentication, vulnerability scanning, change auditing and security information and event management (SIEM).
- Monitoring (18%): This is the appraisal of compliance and may be performed either by an internal team or by an independent external team working with designated internal team members.
- Enforcement (20%): Inevitably when controls are implemented, instances of non-compliance are discovered. This is the task of detecting and remediating such instances. If a breach is uncovered by the monitoring team, then the incident response is covered by this area.
To get the budget just right, the best approach is risk aware and focused on the long term. It is necessary for management to embrace the regulation as well intentioned, and not as an imposition or unnecessary overhead. Because business practices are what sustain an organization, these need to come first along with the compliance requirements linked to them, not the other way around. This allows employees and management to clearly see that regulations are there to help, not hinder, because any long-term successful program requires adoption by the rank and file in the organization.
A “too high” budget for compliance results when there is a lack of asset classification according to business value, leading to one-size-fits-all controls. When asset owners work with the IT team to properly classify assets (for example, database contents), suitable controls can be implemented. Enabling database auditing increases the use of CPU, memory, network bandwidth, and storage, and it requires the attention of senior database administrators. Data owners are usually mid-level managers in the organization and not members of the IT team who manage the machines and the database. These data owners are in the best position to classify the data in terms of business importance. If this input is absent, the database administrator is likely to err on the safe side, assigning unnecessarily high auditing levels resulting in overspending.
A “too low” budget for compliance results from a mindset that resents compliance, viewing it as interference by an external entity. This is especially true if the organization has not struggled through a data breach. In such cases, the focus is on avoiding policies and processes, usually by de-scoping assets as falling outside the purview of compliance. These organizations would do well to heed the experience of the industry where many surveys, including the aforementioned Ponemon report, show that the cost of non-compliance is nearly three times the cost of compliance.
Attackers, both state-sponsored and criminal, are increasingly after confidential information, including intellectual property and personally identifiable information. Regulatory compliance seeks to set a common minimum baseline to insulate organizations from such attacks. By embracing these regulations as being good for you, and adopting a risk-aware and long-term focus, it is possible to right size the compliance budget and enjoy good security.
Good business sense is, after all, just right.
As the co-founder and CEO of EventTracker, AN Ananth was one of the original architects of the EventTracker product, an enterprise log management solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes. Ananth is a leading expert in IT compliance, with over 20 years of experience in IT-control and operations. He was involved in product development for various companies, including Ciena, Westinghouse Wireless and Equatorial Communications. Ananth holds a MSEE from the University of Texas and remains active in strategic product direction at EventTracker.