Most companies tend to look at security compliance as an event and think that if they can make it through an audit just one time, they will be OK.
Editor's Note: This article is an extract of the white paper "The Hidden Cost of Compliance" available for free download from the MC White Paper Center.
I found myself in an interesting conversation with a friend of mine recently. He's in IT management for a division of a large storage area network (SAN) provider. When I asked about his job, he quickly lamented that he didn't like his job at the moment because he was too often caught up doing "busy" work and wasn't able to take on projects that would have the potential to affect his company's bottom line.
When I asked about security compliance, he rolled his eyes. His view was simply that compliance was yet another burden that IT had to deal with that took away from the bottom-line impact that they so desperately wanted to affect. Let's look at the burden and cost of compliance.
Standards, regulations, laws, legislation…. You would have to have buried your head deeply in sand not to have even a passing understanding of the simple fact that "compliance" has become a recurring theme in the day-to-day operations of business. Compliance covers a host of areas, but for the purpose of this discussion we will limit ourselves to the topic of "security compliance," most specifically as it relates to security on your computing platforms. Don't worry. This isn't going to be a technical discussion. This discussion is about something that every executive should think about: the bottom line.
So where exactly does security compliance begin? Security compliance starts with evaluating one's "house." In other words, it starts with examining where the deficiencies lie and then determining what risk they present and what needs to be done to address these risks. Next come the auditors' visits. Depending on the size of the company, you may also have to deal with an internal audit group prior to working with an external audit group. And depending on the vertical industry to which your organization belongs, you may be dealing with multiple audits from multiple auditing firms. Regardless of the number of audits performed each year, when auditors get involved, the requests for data for analysis start to roll in.
The issue is that most companies tend to look at security compliance as an "event." They think if they can make it through this event just one time, they'll be OK. The funny thing is that the next year, those auditors are back, asking for the same data (again), doing the same analysis (again), and writing up their opinions (again). I've often remarked that compliance is the "gift that keeps on giving." It happens at least every year, like clockwork, and you hope that what the auditors see this year is just a little better than what they saw last year; otherwise, you'll have a lot to explain to investors, shareholders, executive committees, and the board of directors.
To learn more, download the white paper "The Hidden Cost of Compliance" available for free from the MC White Paper Center.