Remember the law of inertia from physics class? It says that a body at rest tends to remain at rest unless acted upon by an outside force. Well, compliance is the law of inertia-type catalyst when it comes to information security strategy. Over the past decade, I’ve seen many businesses remain complacent when it comes to information security until they’re forced to pay more attention in the name of compliance. They end up spending a few months documenting policies, tightening passwords, creating antivirus processes and, voila, the business is compliant. And secure, right? Well, not really.
A question in the recent Ponemon Institute State of Global IT Security survey asked nearly 1,900 participants in 12 countries, “Are you taking appropriate steps to improve your organization’s information security posture…If no, why?” The No. 1 answer was “insufficient resources” (39%), followed by “not a priority issue” and “lack of clear leadership.” This begs the question: If information security strategy is being undervalued and overlooked, then how can these businesses possibly be compliant? There’s hardly any business I’ve seen that’s not required to comply with an information security-related regulation either directly or indirectly. I’m confident you could ask most executives how their IT governance program is working and they’ll proudly say “we’re compliant.” But compliant with what?
To me, there’s the good, the bad and the ugly side of compliance strategy:
- The good: Solid control, visibility and automation are present. These traits facilitate not only compliance but also help manage information risk.
- The bad: Duplicated technical controls, multiple sets of policies/procedures and overlapping security evaluations that only make it appear that work is getting done.
- The ugly: When management and other key players assume that compliance strategy has created a strong, impenetrable infrastructure.
With compliance, you don’t need to spend a ton of money completely revamping the way you do business, but you do need to be mindful of what’s at stake so you don’t end up at the back of the herd. Speaking of which, there’s the spirit of the law and the letter of the law, and savvy executives and their legal counsel will likely focus on the former. Odds are the businesses that strive for perfection will end up wasting time, money and resources on compliance strategy. Still, there are many businesses in operation today that have yet to even acknowledge they have a problem, much less have developed a plan for how they’re going to move towards any semblance of reasonable IT governance.
Most importantly, make sure you’re addressing compliance for the long-term benefit of the business rather than to simply complete a one-time checkbox and move on. Sadly, too many people are doing the latter, and the long-term consequences will eventually be evident. Don’t fall into this trap.