Posted by: David Schneier
assessment, Audit, FFIEC, GLBA, PCI, red flags, red flags identity theft, regulatory, Regulatory Compliance, Security, security awareness, SOX
Sometime back in August I blogged about addressing outstanding compliance tasks before the year’s end. We see it every year in my practice: Compliance and security folks wake up sometime right around now in a bit of a panic and realize that they’re about to miss hitting on certain key regulatory deadlines Be it an audit, an assessment, developing or updating one of the many programs that need to be in place — there’s just a ton of things that need to be completed within a calendar year. These things keep getting pushed off because it doesn’t seem significant to day-to-day operations; retail lending isn’t going to make their numbers because a pen test was conducted or because the vendor management program was maintained. And so these activities are constantly being put on the back-burner to a moving point in time that never seems to be reached.
Of course now that we’re facing down New Year’s Eve in exactly three weeks, we’re finding ourselves busy with all manner of work that wasn’t even on our radar as recently as Thanksgiving. It’s like the old adage: “If it wasn’t for the last minute, nothing would ever get done.”
But why does this keep happening? Why are these activities treated as necessary evils and not as something that helps support the business, reduces risk and maintains reputation in the marketplace? Quite literally, all of the have-to’s thrust upon financial institutions by their regulators serve an important purpose and address some very real problems that confront us every day. And yet despite that important fact, the vast majority of stakeholders view compliance as a bit of a drudgery and something they’d rather do later, not now.
I recently read a report that stated that nearly one of every two information security professionals spends at least 50% of their time working on regulatory compliance tasks. The angle of the report seemed to be that it was time consuming, possibly excessive, and that the infosec people had more important things to focus on if only they could. I was surprised by the report because I would think that somewhere in excess of 75% of every infosec professional’s work day would be consumed with tasks that are directly related to regulatory requirements. Most of what a properly managed and matured IT organization needs to have in place dovetails quite nicely with the related regs. I’ve written before about how I thought PCI should be applied in a broader sense (though modified somewhat when it comes to the more extreme elements) as a security standard. It addresses just about every key security control objective and related activities, provides tools to conduct periodic assessments, and allows you to leverage what’s required with how you should conduct business. A properly managed infrastructure shouldn’t have to jump through any special set of hoops to be compliant; it should be a natural byproduct of doing things the right way to begin with.
But when you read a report that places an emphasis on how much time compliance consumes in a work day and makes it seem as if though that’s a separate body of work apart from what the infosec person should be doing, it’s clear to see why compliance is viewed as the aforementioned necessary evil. It’s not though; it’s actually a great assist in managing risk.
We have several clients who are all over the broad range of required activities. They don’t approach compliance as a point in time exercise but rather as an ongoing set of actions that are ingrained within their day-to-day activities. They identify issues with vendors before those issues impact their operations (particularly relevant in this economy). They uncover terminated employees who continue to maintain application or system access before any harm is inflicted. They modify and strengthen programs (e.g. Red Flags and incident response) so that they’re increasingly effective in helping to identify and reduce fraud (again, particularly relevant in this economy). They react to findings on audit and assessments with concern and not defiance because they value the resulting improvements and the risks they help mitigate.
And what’s particularly interesting is that size doesn’t matter. We have proactive clients whose asset sizes range from $100M to $2B (and beyond); some with vast resources and some with scant few. But regardless their approach, commitment and results are equal. They have no fear of the ball dropping in Times Square.
It’s just about too late to do much of anything if you’re already late in getting things done this year. But it’s not too early in getting a head start on planning what you’re going to do in 2011. Remember, an examiner won’t let you off the hook for being deficient in any area, but they will grant you more time if you have a viable plan in place to address things in short order. For those of you who can’t be fully compliant, at least make the effort to be fully aware and prepared. Do you really want to be the one standing in front of the board of directors or CEO trying to explain how a key business partner just up and closed in the middle of the night and you didn’t even realize they were in financial trouble?