One might conclude that if a company achieves compliance, it is fundamentally secure. Unfortunately, this isn’t always the case. Most of us in the security industry talk at length about working to be truly secure while implementing compliance initiatives. Why do some organizations seem to be coming up short?
"If you think compliance is expensive, try noncompliance."
—Former U.S. Deputy Attorney General Paul McNulty
Over the last two years, we have seen many public- and private-sector organizations having to answer tough questions from their customers, constituents and (unfortunately) attorneys. Many are paying a severe price through punitive damages and legal costs, as well as hits to brand reputation for their security breaches…even though they might have been compliant. Here is the question looking for an answer: “If you were compliant (per PCI, HIPAA, etc.) why weren’t you secure enough to prevent a breach of my sensitive data?” I can’t speak for everyone, but I have certainly asked this question myself, as several of my credit cards and personal data have left the building. Information security is a difficult, but not impossible, task. We just need to think differently about how we answer the question and have a goal of maintaining and strengthening our overall security posture.
Security has evolved to become a business driver
Reducing information-security risk is essential for all organizations. Being able to show risk reduction over time is important to stakeholders and customers alike. The attack surface is increasing with the massive adoption of powerful compute containers—all designed to facilitate business agility—both inside and outside of the datacenter. Businesses are moving at the speed of cloud, and organizations are looking for efficient ways to continuously monitor their IT ecosystems, no matter whether they are down the hall or across the globe.
I can certainly appreciate the demands placed on IT and security/compliance staff to balance this never-ending endeavor to be not only compliant but also secure. In the past, I gained valuable experience going through automating PCI Level 1 compliance and learned many valuable lessons through this process. Whether you’re handling payment processing data and need to maintain PCI compliance or are in the healthcare sector protecting HIPAA data, reevaluating the way you measure and monitor compliance is worth the effort.
It’s time to think differently about security and compliance
At Cavirin, we recognize the fact that cyber risk management starts with complete transparency and the continuous evaluation of risk. We anticipate that compliance and security initiatives won’t decrease in scope, but will likely become an integral part of every single organization doing business online.
The Cavirin platform was designed with the idea that security is—and will continue to be—a competitive advantage for every company (no matter how large or small) deploying Software as a Service (SaaS) solutions. Compliance initiatives will know no boundaries as organizations race to the 3rd platform (cloud computing) to increase IT throughput and cost-effectiveness.
Evaluating third-party risk and compliance will become equally important in the effort to achieve a secure operating environment. The goal of maintaining security while achieving compliance is an attainable one, but it requires new methodologies and approaches. The concept of agentless introspection to give you a balanced scorecard against standard compliancy frameworks is the future. Cavirin takes a lot of pride in helping you achieve these standards together without sacrificing performance or budget.