The True Cost of Compliance
Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.
There's a natural tension between compliance and security that stems from the simple fact that too many IT organizations equate one with the other. But compliance requirements generally provide for a base line of minimal amount of security, so it's still very possible for an organization to be in compliance and still suffer a security breach.
Confusion over this distinction frequently leads to frustration with compliance requirements along with a general sense of security fatigue that can be traced back to all the issues that compliance products generally don't address. The good news is that we're starting to see more convergence between security and compliance products to address this issue.
Case in point is the enhanced file integrity monitoring capability that Tripwire has included in the latest version of the company's VIA platform. Rolled out at the recent RSA Conference 2011 event, the new version of Tripwire's file monitoring software has been optimized around version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) in a way that allows IT organizations to continuously monitor logs and system event information to identify any abnormal updates to files. As unusual file activity is usually the first sign of trouble, Rekha Shenoy, vice president of marketing for Tripwire, says the Tripwire VIA platform not only helps companies stay in compliance, but it also serves as an early warning system for potential security breaches.
Shenoy says it is one thing for a security information and event management (SIEM) product to tell you when your organization is out of compliance, but it's a higher order of value when that SIEM offering can identify when and where files are being accessed without authorization. That capability, she adds, means that money being allocated to compliance is actually serving to enhance security, and like it or not, IT organizations today are rolling acquisitions of security technologies under a compliance budget that is much easier to get approved in today's business climate.
At the end of the day, Shenoy says that every dollar spent on compliance should enhance security and vice versa. The trick is to find products and technologies that make both sides whole, versus simply trying to check off a compliance requirement without any regard to the company's overall security posture.