The True Cost of Compliance
Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.
Most security professionals will tell you that the single greatest risk to their networks is those darn human users who keep storing passwords on sticky notes and opening emails from unknown sources.
The same can be said of compliance, which on an operational level really cannot be divorced from the mindset of network and data security. Ultimately, people are acting on your data and business practices - if they don't know any better (or just don't care), no technological solution can ensure they won't violate compliance guidelines.
A guest opinion piece at SC Magazine lists employee monitoring and, perhaps more importantly, training among its 10 tips for actively focusing on compliance as a basic tenant of your business culture. The column, by a marketing executive at CA Technologies, echoes the general wisdom that compliance is an ongoing process, not a one-time data lockdown event.
Obviously, you have to stay on top of changing regulations and part of the process. But you also must ensure that your staff understands the impact of regulatory compliance on the business. Our Mike Vizard noted last fall that some companies now tie employee bonuses to compliance success. So, yes, the human component is that important.
One of the main tips offered by the CA marketing exec, Shirief Nossier, is to invest in ongoing staff training. Again, there's just no getting away from security here; a primary risk that must be continuously mitigated is social engineering. As Vizard pointed out, loose social media lips sink companies, and there's just no 100 percent secure technological answer to it, unless you want to seal your employees in a bubble. (Be sure to check out these additional resources on social media security training that you can find in our IT Downloads library.)
On the technological front, Nossier advocates investing in data loss prevention (DLP) systems, not only as a way to pinpoint specific critical events ("put that thumb drive DOWN") but also to monitor employee behavior and create a training feedback loop.
Nossier cites a highly publicized survey from last year that suggested the expense of compliance was notably lower than non-compliance, with a price tag about four times as high for being "complacent" about compliance issues, as his column's title suggests. (You can see the highlights of that survey here.)
He goes on to advocate a centralized GRC approach, which includes rationalizing all the regulations imposed on your company into a single policy and then finding the sweet spot of who should play enforcer. (As we've reported recently, that's the multi-million-dollar question facing GRC these days). And not surprisingly, Nossier suggests investment in serious compliance portfolio tech; CA technologies markets large-scale compliance packages, after all.
But even the big software vendors will tell you that the human element is key to your compliance efforts. That's both comforting and a little scary.