Channel Marker

Aug 19 2008   7:42AM GMT

Regulatory compliance: Getting customers to look at the big picture



Posted by: Bcournoyer
Tags:
Network and application security
Tech Blogs

Regulatory compliance has driven a whole lot of business for security resellers in the past few years. But that doesn’t mean you can just walk into a customer site, say “compliance” and successfully sell whatever you want.

Security experts Anton Chuvakin and Rich Mogull both recently wrote about the “checklist mentality” that most customers take when addressing regulatory compliance. What that means is, CSOs have a list of what they need to be compliant, and if what you’re selling isn’t specifically on that list, they don’t want it.

Chuvakin and Mogull specifically discussed data loss prevention and its role in selling regulatory compliance. Chuvakin explained:

DLP is newer than  most regulations (PCI DSS, HIPAA, FISMA, etc) and – what a shock! – the documentation for these mandates just doesn’t mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!).

Also, PCI DSS directly and explicitly says “get a firewall”, “deploy log management”, “get scanned”, “install and update AV” – but where is DLP? Ain’t there…

In his reply to Chuvakin, Mogull said you should only use the compliance pitch when what you’re selling is on the customer’s checklist. Otherwise:

Evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases.

With so many compliance products on the market today, it’s easier than ever to differentiate yourself from competitors. But the more you differentiate, the further away from the checklist you move.

Is the checklist mentality common among your customers? What are your strategies for getting customers to look at regulatory compliance more holistically?

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: