Get with IT: Compliance is Just the Beginning

Dec. 13, 2011
How to approach IT security from a risk management perspective

Physical security controls, operating systems, mobile devices, you name it — it is amazing how the more things change in IT, the more they stay the same. When it comes to keeping critical systems protected and sensitive information under wraps, IT compliance is no exception.

What I mean by IT compliance is falling in line with government and industry regulations affecting the security and privacy of sensitive information in your business. There is plenty of regulation to go around, be it HIPAA or the HITECH Act for the healthcare industry, the Gramm-Leach-Bliley Act (GLBA) for the financial industry, or PCI DSS for credit card transactions. In fact, it can be argued that the massive regulations themselves are one of the greatest threats to business and free enterprise. At least that’s how I see it.

But it is what it is — and we mostly have ourselves to blame.

Around a decade ago, after the web became popular, we started hearing about businesses experiencing data breaches. The problem became so widespread that organizations such as the Privacy Rights Clearinghouse started tracking what was happening. As we can see on the Chronology of Data Breaches (www.privacyrights.org/data-breach) the story got ugly. Businesses didn’t self-regulate and do what was needed to keep things secure so, in typical fashion, the government and industry bodies stepped in and tried to do it for them.

Welcome to the new world of compliance that everyone loves to hate.

More than two years ago, I co-authored an article entitled “The Dangers of Over-Reliance on Compliance,” where we wrote about how businesses are not focusing on what is important and how they are doing the bare minimum to get by — and that was with most of the government and industry regulation we have today.

Now, here we are, nearly three years later, and not much has changed. Many business owners are still going down their compliance checklists, marking things off and claiming to have a handle on their business risks, but they really don’t have a handle on their IT security, based on the amount of data breaches that still occur.

Ironically, many of the data breaches are happening to businesses that claim to be “compliant” because they passed this or that audit, developed a certain level of security documentation or have fancy technical controls like firewalls, data loss prevention and encryption. But those things mean very little in the grand scheme of things.

My point is you have to look beyond the compliance checklists and approach IT from a risk management perspective. Here’s how:

1. Determine what sensitive information you have;
2. Find out how that information is at risk;
3. Implement the proper controls; and
4. Re-evaluate periodically and consistently moving forward.

The good news is that if you are serious about information security and do it well, “compliance” will emerge as a nice side effect. This means you will not have to manage each and every regulation as a unique silo, nor will you have to worry about how “compliant” your business is at any given point in time. Manage risk and it will all fall into place. It doesn’t matter if your business is a small startup in a minimally-regulated industry, or if it is a large enterprise in the healthcare or financial industry, you cannot — and should not — rely on the compliance crutch to manage IT. It is not only an exercise in futility, but the false sense of security it creates will undoubtedly get you and your business into a bind.
Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. In the industry for 22 years and having worked for himself the past 10 years, Kevin specializes in performing independent security assessments to help manage business risks. He has also authored/co-authored 10 books on information security including the best-selling Hacking For Dummies and Hacking Wireless Networks For Dummies. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at this website (www.principlelogic.com) and you can follow in on Twitter at @kevinbeaver or connect to him on LinkedIn.