While you may think that complying with regulations that require data security would be helping companies move toward more secure networks, it may be having the opposite effect.
Certainly more time is being spent on compliance than ever before. Forsythe Solutions Group conducted a survey of 100 senior IT and data security professionals at Fortune 1000 companies across the United States in which 43 percent of respondents cited the legislation-induced triumvirate of policy, process, and procedure as their top priority.
Asked where they stand with regard to making changes in response to legislation, the majority of companies responding to the survey said they had or were in the planning stages of encryption, enhanced security awareness programs, and updated incident response plans and authentication processes.
But these compliance efforts, even if they overlap with traditional security concerns, seem to come at a price. The Forsythe survey notes that 28 percent of the respondents had little or no confidence that they had detected all significant security breaches in the past year; even more alarming was that a similar number rated their current IT environment as more vulnerable than a year before. That, says John Kiser, CEO of Gray Hat Research Corporation, may be a sign that time or money spent by IT professionals on ensuring compliance to top management are resources taken away from other crucial security tasks.
“It is my contention that at high levels of leadership in corporations…they’ve been lulled into a sense of security about security by believing that if they are compliant, then they’ve become secure,” asserts Kiser. Prominent regulatory efforts, such as the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPAA), as well as globally accepted standards from ISO (the International Organization for Standardization), address only part of the security threatscape, Kiser says. “I do believe that you can be ISO compliant, GLB compliant, HIPAA compliant, Sarbanes-Oxley compliant, and not necessarily have a secure infrastructure at all.”
One reason he cites for this is the growth of technological products that promise to solve compliance problems. “It irritates me when I look around the industry today and see products that are oriented toward checklists” that look for a yes or no answer. “People are striving for the yes” without always considering whether any changes will result in a more secure network, he says. Therefore, these products are not necessarily making the enterprise more secure.
But Forsythe’s Pamela Fredericks counters that any higher profile given to IT security is a good thing. “In the past, information security policies and documentation about controls in an IT environment [were never on a par] with all the other things that IT would be dealing with,” she says. As a result of these regulatory requirements, suddenly these tasks have been given priority because they “receive much greater scrutiny than they ever have in the past.”
Fredericks adds that even if IT professionals are spending more time on documentation and less on substantive measures, that’s likely to be temporary. “I think that over time this initial focus on documentation will become less, because there was ramp-up to make sure that sufficient policies and processes were in place,” she says. “As companies become more mature in that end of things, there will be less focus on it.”
@ Results from the Forsythe survey are at SM Online.