RSA Europe: Demonstrating actual compliance is a very costly business.

According to the report, entitled `A New Era of Compliance: Raising the Bar for Organisations Worldwide', regulations are becoming more and more prescriptive.

For example, says the study, US state laws are now mandating that encryption becomes more effective, whilst the enforcement of those same regulations is getting stronger, as witnessed by the Information Commissioners' Office being granted increased powers and penalties.

The report, which has been authored by the Security for Business Innovation Council (SBIC), notes that breach notification laws are spreading across the globe and that responsibilities to assume business partners' security is growing.

The first regulatory guidelines to assure cloud computing service providers' security, for example, have just been issued by the data protection authority in Germany.

Infosecurity spoke to Professor Paul Dorey, a member of the SBIC, who explained that the report has been in progress for three months and aims to be a 'management heads up' as regards the increasing need for compliance in most organisations.

"Our research suggest that quick fixes in the field of regulatory compliance are rarely effective in the longer term, even though they may appear to work in the shorter term", he said. "We also discovered that standards are increasingly important in the field of regulatory compliance, mainly because there is an increasing dependence on third parties", he added.

According to Dorey, whilst most organisations now outsource many of their IT functions, this can create problems for the IT management, since they are responsible for the accountability of the third party company, even though they have few controls over the third-party company.

"The problem is that few organisations have the required expertise to get 'under the covers,' and find out what's really going on. This is despite the fact that, if they are accountable, they need to do this", he explained.

So what is the solution?

Dorey says that if third party firms have good IT interfaces, this makes the task of monitoring their operations a lot easier.

The problem of regulatory compliance is compounded, notes Dorey's report, by the fact that, since the inception of the internet age, we continue to add huge volumes of business transactions and personal data online.

Yet, despite the maturity of compliance programmes, the CISO's obligations continue to stack up.

The solution, says the report, is that, organisations that do not have the proper security controls must ramp up quickly to continue to be a valued player in international business.

In addition, notes the study, the steady stream of new regulatory requirements makes for a complex compliance environment, meaning that demonstrating actual compliance is becoming a very costly business.

Coupled with the fact that a business partners' lack of security will expose enterprises to increased risk, the report concludes that, in order to succeed, a compliance programme in a large enterprise must take a holistic approach meeting the requirements of multiple regulations.

A successful programme, says the study, embeds compliance in the business process, using automation as much as possible, as well as making 'defensible' decisions when it comes to risk management.

The report notes that regulatory compliance does not have to be a hindrance to business innovation. If it is carried out correctly, the process right, is not a drag on resources.

And if organisations focus their compliance efforts on building core risk management strength, the process of compliance can actually enable innovation.

The key, says the report, is to have a risk-based compliance program that puts fewer resources towards non-productive compliance activities and leaves more for an organisation to invest in business innovation.

What’s hot on Infosecurity Magazine?