|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
The Compliance Conundrum
Balancing Security and Compliance with Economic Reality
By
Vijay Basani
|
|
Vijay Basani
Chief Executive Officer
eIQnetworks
|
As the United States – and indeed, the world – continue to experience tumultuous market conditions, organizations both large and small are coming under increasing pressure to reduce operating expenses for as long as necessary to weather the fiscal storm. This is a natural and often prudent reaction, and like any organization within the enterprise, I.T. is not immune from these exercises in efficiency.
Unfortunately, as fiscal realities become apparent to I.T. organizations, they often wind up running into another type of reality: the fact that both compliance requirements and information security attack vectors are increasing and becoming more complex at a rapid pace. For most I.T. managers, this requires threading a very small needle – how do these professionals continue to ensure the confidentiality, integrity, and availability of valuable information assets, meet an ever-increasing range of additional regulations, standards, and other mandates, and still adjust their operating expenses downward to meet the financial needs of the organization?
At first glance, this seems like a Sisyphean task: doing more with fewer resources, while reducing both security and compliance risk at the same time. Under the surface, however, there are some real-world measures to make this mandate not only possible, but easier than it might look at first glance:
Align security and compliance. Information security and compliance are two separate disciplines; being compliant with regulations, best practices, and standards does not mean that an organization is secure. However, by using tools and technologies that more closely align the goals of compliance and security, organizations can more effectively see – and address – the gaps between these two disciplines by focusing valuable resources on high-value projects that both meet critical compliance requirements and provide significant reduction in security risk.
Consolidate point solutions into a security and compliance platform. Historically, the rule of thumb in the I.T. industry is that one new technology means at least two FTE’s to support it. Moreover, in the security space, multiple point solutions such as IDS/IPS, SIEM, vulnerability scanners, and ESM generally do not “talk” to each other, making them reactive analytical tools rather than proactive solutions to big-picture security problems. By consolidating single-purpose point solutions into an integrated platform where a broad range of security data – events, configuration, performance, vulnerability, and others – is shared, organizations can reduce the number of point solutions they use, lower maintenance and support costs, and simultaneously gain a more holistic view of security and compliance across the enterprise.
Embrace technology generalists. Specialization will always have an important role in I.T., but it’s important to ensure that technology managers are able to see the Big Picture of technology (and most importantly, how technology systems meet business needs) from a macro perspective. Ensuring that everyone in the technology management process understands not only what they do, but why they do it, will help to focus technology projects and potentially even generate new, innovative ideas for efficiency and cost reduction.
In today’s tough economy no industry or organization is completely immune from its effects, and for I.T. organizations, the fact is there is no magic bullet to give them what they need to both meet diminished budgets and ensure that risk levels for both security and compliance are kept in check. However, by proactively changing their processes to rely on consolidation, alignment of goals, and other reengineering efforts, I.T. organizations can weather the storm of today’s market and come out stronger, more secure, and more compliant when we reach an economic rebound.
|
|
|
|
