5 Ways You're Wasting Compliance Dollars
Fighting redundancy and ineffectual practices leaves more money for meaningful security
By Ericka Chickowski, Contributing Writer
Dark Reading - Sure, the cost of compliance has been driven higher and higher by increased regulatory burdens over the years. But that's not all to the story. Many organizations spend more because they're wasting compliance dollars on piecemeal compliance programs, ineffective products, and expensive consultants when things go wrong.
"Businesses spend a lot of money on compliance and risk management. Effective compliance is a critical component of modern business, and the oversight environment is getting increasingly more complicated every day," says Geoff Harkness, managing director at MorganFranklin. "Rather than increasing compliance spend in direct relation to increasing oversight, businesses must figure out ways to make more effective use of future budgets."
Here's where Harkness and fellow security experts believe businesses should look to find the money they're wasting on compliance and audits:
1. Do Everything Manually
"Unnecessary waste occurs with companies who are using manual processes to conduct IT audits for all aspects of the audit," says Jason Creech, director of policy compliance for Qualys.
Tufin's chief security architect, Michael Hamelin, agrees. Manual processes not only take a lot of manpower to pull off, they also end up jeopardizing the state of compliance. It's the very definition of waste -- spending lots of money on a process that comes to nothing anyway. He says he has seen numerous customer prospects spend days on manual firewall audits for PCI only to see them knocked out of compliance with the next weekly firewall change window.
"Automation can play a huge part in aligning security and compliance goals by providing analytics and reporting that allows organizations to sync their efforts," Hamelin says. "When you can leverage automation to be preventative, over time it results in a more proactive and strategic approach to both security and compliance management, and instead of wasting money you create economies of scale."
2. Keep Your Left Hand Unaware Of The Right
"Any compliance drill that is executed as a check-the-box exercise is at minimally inefficient or partially wasteful," says David Wilson, director of cybersecurity strategy for Telos. "This is particularly true when the policy compliance folks are segmented from the operations folks. To achieve real benefit, compliance and operations efforts should be intertwined."
Without that work to intertwine them, mishaps are bound to occur. As an example, Creech told the story of one company he worked with that came to him complaining of auditors flagging the company on poor change-control documentation.
"It was discovered that a poor system image management process used in remediation was having an impact on the IT audit. In their organization, remediators corrected system issues by reloading images from a jump drive," he says. "'Remediator A' would fix the reported problem by loading an image, but if another issue was reported, another remediator may show up with his jump drive to fix the second reported issue, basically undoing remediators A's work."
By the time the annual audit took place, the change-control documentation did not represent the actual environment. "Nowhere close," he says.
3. Deploy For Features Instead Of Security Benefits
According to Phil Lieberman, CEO of Lieberman Software, organizations usually have the choice between two types of compliance solution.
"The first will not scale or work, but is provided by an appliance. The second requires integration into line-of-business infrastructure to close the holes," Lieberman says. "When approached with the two, the first solution is chosen because [they believe] a failure of a solution is better than one that requires interdepartment cooperation."
4. Reinvent The Widget
"When I worked in professional services, it was not uncommon once I arrived on-site to find unused systems -- systems that had not been kept current with the environment. Some companies had even forgot the passwords to use for login as administrator," Creech says. "Those particular solutions were very expensive and averaged nearly $1,000 per IP."
Technology also goes underutilized when niche products that do work overlap in functionality.
"Often, personal preference, vendor lock-in, or suggestions from the auditor conspire to cause organizations to run many redundant and unneeded systems," says Ron Gula, CEO and CTO of Tenable Network Security. "These systems are often implemented with a sliver of their actual feature set, so the organization gets little benefit from the product or its security capabilities."
Such disarray on the technology side is actually a symptom of a larger redundancy problem, rather than the disease itself. Often the duplicative widgets are a result of multiple compliance project managers chasing down multiple regulatory objectives without any kind of overarching strategy. Nip that behavior in the bud and you'll soon weed out the technological excess.
"Many leading organizations have spent significant time and energy on individual aspects of compliance, but have failed to realize a comprehensive, integrated governance, risk, and compliance operational framework," Harkness says.
5. Ignore The Cloud
"Since SaaS applications are so easy to purchase, many IT organizations do not have a clear picture of how many seats of various cloud applications are truly being used within their enterprises," says Gerry Grealish, vice president of marketing and products for PerspecSys. "This unawareness allows for gaps in compliance and, more importantly, overall data security."
In order to ensure compliance stretches across all the infrastructure where regulated data sits, it is critical to inventory and evaluate the cloud platforms that are already in use, Grealish says.
"The next step is to determine what information is being stored and processed in these clouds, and to put the compliant data protection model in place to ensure sensitive and private information is being properly safeguarded," he says.
Original appearance at darkreading.com
We combine deep industry, implementation, development, and project management expertise, practical tools, and innovative thinking to catalyze the achievement of your business objectives Read more...