The Changing Face of Compliance and the Impact on IT Security

Compliance is a fact of life. It’s hard... and it’s getting harder. IT Security Managers have had to evolve from focusing heavily on simply meeting the letter of compliance requirements to a much broader role within corporate governance itself. This transition creates the need for new approaches, new skills, and usually new technology solutions to aid in this strategic transition.

Key Compliance Trends
The world of compliance has significantly changed the nature of IT management over the past few years. While the management of IT has always been a challenge, its scope has expanded as the requirements of compliance has caused IT executives to take on a broader role within the corporation. What changes have occurred to cause such a sweeping evolution of management? Figure 1 summarizes these trends.

As a result of the recent corporate scandals, there is a strong emphasis now on executive accountability, as well as transparency of their business operations. Shareholders demand that controls be in place to prevent the catastrophic corporate failures of the past.

In addition, corporations are instituting clear and comprehensive policies to govern the behavior and access to sensitive information of all their employees. And, in general, corporate controls have been created to ensure compliance with these policies. Lastly, the role of IT management has expanded so that it now encompasses governance of all activities and assets related to IT, to ensure that IT meets the current and future needs of the business as well as all relevant regulatory requirements.

The Evolution from Security to GRC
The challenge of compliance has evolved over the past two years, and will continue to do so for the next few years. Figure 2 provides a summary of how compliance is evolving, and illustrates a range of maturity levels that exist within most enterprises across multiple industries. Some companies adopt and then maintain a given level of compliance maturity, but the general trend is clearly for enterprises to evolve their compliance approach to the upper right of this graphic.

Initially, enterprises struggled to be compliant with a specific regulation, typically SOX. They spent way more than they anticipated, and were often faced with making major changes to their internal financial and IT processes in order to meet the requirements of this regulation. Still, even if they actually met their deadline for corporate compliance, most compliance executives have expressed (through several recent polls) that the benefits gained from SOX compliance did not justify the huge amounts of resources it required.

In many cases, this was because as each new regulation came along, separate and usually manual security controls were implemented. The result was that excessive (and usually redundant) IT effort was required to meet the requirements of these regulations. Clearly, a more sustainable compliance approach is needed.

More recently, enterprises have begun to view and manage their compliance efforts as a unified effort, in which security controls are developed to meet the needs of all regulations. Automation of some key security controls has also reduced the failure rate of these controls, and begun the process of moving the organization to a “continuous compliance” model of compliance. Continuous (or “sustainable”) compliance is an important goal of any large enterprise, because it implies that compliance activities can be integrated into the core of internal business processes, thereby reducing its overall costs and risks. Further, by moving from a regulation-specific compliance approach to a more unified compliance “platform”, enterprises have reduced the level of redundant controls, thereby increasing efficiency and making IT audits less onerous.

To illustrate the type of solutions that can help with this transition, identity management solutions have been instrumental in providing automated security controls to enable the trend towards continuous compliance. Components such as user provisioning have helped companies speed the process of granting access rights and accounts for new users, but possibly more importantly, have provided near-instantaneous removal of access rights for departed (and sometimes disgruntled) employees. And, the ability to generate automated reports of such things as user access rights, when they were granted, and proof that they were removed, has greatly helped with validating the effectiveness of these controls, thereby reducing the expense of IT audits.

Gradually, enterprises have started to develop a coherent compliance strategy across all the relevant regulations. They have generally adopted widely-accepted industry control frameworks, such as CobiT, to ensure that they are using industry best practices for their security controls. They are also rationalizing and automating their critical security controls so that one control could be used for more than one regulation, and are starting to formalize their remediation projects so that their progress and costs can be measured quantitatively. Most companies are in the process of this phase right now.

Ultimately, companies should strive to optimize their compliance activities so that they automate more of their IT controls, as well as automate the continuous monitoring and testing of their controls. Redundant controls testing is not only inefficient, but it leads to “silos” of information as each group tests controls for their own local needs. Since there is usually no central repository of information about the status of IT controls and the risks they pose, control failures can lead to risks that are unknown to some stakeholders in the process.

In addition, organizations need to have a centralized, unified view of IT risk across the whole environment, to eliminate risk and compliance silos that contain redundant information about risks and controls. The result of this phase will be better and more timely decision-making because the current state of all risks and controls is easily available. This will lead to a truly integrated approach to the governance of risk and compliance.

The “Optimize” phase of this evolution is emerging now, and will involve a move from compliance management to the broader view of governance, risk, and compliance (GRC). This phase will continue the trend towards greater automation of security controls and their testing, resulting in increased efficiencies and more effective compliance efforts. But, the more important change will involve how IT risks, specifically security risks, are analyzed, managed, and remediated.  By centralizing all information relating to the status and mapping between IT risks and controls, security and compliance executives can gain a unified view of their risk profile, across all of IT. Through the use of GRC dashboards that provide visual risk heat maps, trend analysis, and overall compliance status, executives can make significantly better decisions because they have much higher quality information on which to base them.

These trends effect organizations of all sizes. Some smaller ones, though, or ones with fewer compliance challenges, may decide to migrate only partly through these maturity levels. Still, most companies will find that the increased complexity of compliance will dictate a strong need to increase efficiency through the increased automation of their security controls, and to improve overall oversight through a centralized and comprehensive approach to IT governance.

Compliance is not going away, and the burden is more likely to grow rather than shrink. Security and compliance executives need to make their compliance initiatives a driver of increased business effectiveness and efficiency, rather than a continuing source of expense and frustration.