Use security strategy to offset regulatory compliance challengesDate: May 08, 2014
Virtually every business has regulatory compliance rules it must follow, and these industry-specific regulations are constantly changing and growing in number. As regulations proliferate, their sheer scope creates one of the biggest compliance challenges for organizations today, according to Brian O'Hara, CISO for The Mako Group IT security consulting firm.
To adapt, organizations should increasingly tie governance, risk and compliance processes into an overall business strategy, O'Hara said. At the RSA 2014 Conference in San Francisco in February, O'Hara sat down with SearchCompliance Editor Ben Cole to further discuss how the changing regulatory landscape creates huge compliance challenges and how a strong security strategy can help.
What are the top regulatory compliance challenges that clients are coming to you with?
Brian O'Hara: The top regulatory compliance challenge is regulatory compliance. It's the breadth and depth of it all. There's just so much, and it changes every year. Just about the time you think you've got it, something changes. Then there is another framework released, or the IEC (International Electrotechnical Commission) changes social media regulations. Just keeping up to date is a full-time job.
It used to be a checkbox: Here is the guidance for banks. Did we do everything? Good, see you next year. It's not that way anymore. It's a much more dynamic environment, partially due to the threat surface and partially due to the increase in security efforts at the government level.
How can companies deal with all these regulatory compliance mandates? Is it just a matter keeping information systems flexible?
O'Hara: It requires businesses to completely reevaluate their strategy. Traditionally, security and IT both have operated in silos, and that's simply not true anymore. We need to begin bringing those areas into the business fold, into the overall business strategy, into all other governance, risk and compliance strategies. If they don't, they'll be chasing their tails constantly.
One of the things we always tell customers is compliance will never make you secure, but security will always lead you to compliance. If you start out with a sound security strategy and you put good policies and practices in place, then compliance is not going to be a problem anymore. But if you continue to chase regulation after regulation, you're never going to get caught up and eventually you're going to get into trouble.
More from RSA 2014
New threats force CISOs to rethink info protection strategy
CISO collective intelligence provides data security advantage
The key to data security? Know your information assets
What do you think are some of the most dangerous emerging cyberattacks? What security measures and technologies are emerging to address them?
O'Hara: That's a really good question. I don't know that I have a good answer for that. The threats are morphing so fast that we have to change the strategy we use to deal with them. In the past, we've traditionally used antivirus and anti-malware, or intrusion detection systems. It was a layered security strategy.
Those boundaries and borders are all gone. All bets are off, it's the Wild West again. We have to change our strategies and the way we approach the problem. At least in some ways, what we're doing isn't working.
How effective do you think intelligence and analytics-driven security strategy is? What are some of the challenges to that approach?
O'Hara: It's paramount to understanding what you're dealing with, first of all. Without that intelligence, you're just kind of hoping that you're doing the right things. You really don't have any data to drive your decision-making. The challenges revolve around what to look for. There's no set answer for that; it changes very quickly. It's as dynamic as the threat environment is.
We need to stay up on what points we need to be reviewing, what data sets we should be protecting. It comes down to risk management. Where do you want to pool your resources? We can't protect everything so we have to look at things like 'Is data encryption right for this for solution?' There is no correct overall answer. It has to be right for that particular situation. The only way you can make those informed decisions is by understanding the data sets or mapping you're looking at.