10 Ways To Maximise Your security And Compliance Investment

If anything has become clear over the past year, it’s that data security risks are real for organisations – and they’re only getting worse. From Ashley Madison to the recent Carphone Warehouse hack, security breaches have become commonplace and increasingly played out in public. Gemalto’s 2014 Breach Level Index showed that 1,541 IT breaches occurred globally in 2014 (up 46 per cent from 2013), with more than one billion records breached for the year.

The regularity of these incidents is forcing IT decision-makers to re-examine their security and compliance activities. Should organisations be doing more to secure data, or are breaches simply inevitable?

If you’re responsible for security, it’s worth considering whether you’ll still have a job if your business is publicly hacked due to your decisions. While investigators are still looking into whether the Ashley Madison was subject to a compliance regime, we’ve already seen the company’s CEO, Noel Biderman, resign. The consequences can, no doubt, be extreme.

Problems often stem from organisational attitudes towards security and compliance. Many businesses treat security and compliance activities as simple box-ticking exercises. Emphasis is placed on doing the bare minimum, with limited regard given to the intent and benefits of compliance.

This mentality is problematic, as it means security measures are deployed ineffectively, time and money is wasted, and decision-makers are unable to discern return on investment (ROI). A ‘mere compliance’ approach sees compliance become the enemy.

The organisations that see real benefits are those that go beyond mere compliance. They recognise the critical role that security assessments, penetration testing and ethical hacking projects can play in protecting enterprise and consumer data. Most importantly, they use security compliance budget in a way geared for optimisation.

But how can IT decision-makers ensure that they’re maximising the value of their security compliance budgets? Here are 10 tips to consider, courtesy of Kevin Foster, testing services manager, MTI Technology:

1. Link to business strategy

Avoid framing requests for resources and budget in mere ‘compliance’ terms, and highlight how compliance activities align with business goals. If you can effectively position how the activity supports organisational strategy, you’ll boost your chances of getting support.

2. Examine processes and outsourcing

Can you change organisational processes to reduce the areas that require compliance? If you can minimise the areas that require compliance controls, you can do a quicker, cheaper and better job over a smaller footprint. In addition, consider whether there are cost-effective options for outsourcing compliance to proven, qualified third parties.

3. Allocate budget strategically

If budgets are stretched, it’s worth considering big budget cuts to a small number of organisational areas. Doing so will enable you to funnel resources towards priority areas, as opposed to spreading resources wafer thin.

4. Emphasise balance

Particular compliance activities can dominate the IT budget and agenda, leaving other important activities neglected. This type of imbalance can see smaller problems accumulate and become much bigger and more costly over time.

5. Join up compliance

Time, money and resources can be saved by aligning IT and security compliance work-streams. Doing this can allow IT departments to address multiple, overlapping standards at the same time – boosting efficiencies. For example, there are many controls and concepts from the Payment Card Industry Data Security Standard (PCI DSS) that are also required by the Data Protection Act.

6. Security service level agreements (SLAs)

When procuring new IT solutions and third-party services, always try to include security SLAs. This will help to ensure that new systems entering your environment remain covered, secure and compliant over time. So, for example, if a new application fails a penetration test, your organisation isn’t the one needing to pay for upgrades or re-coding work.

7. Be honest and transparent

If the budget allocated isn’t adequate to do the job properly, let your stakeholders know that you can’t sign-off the scope-of-work. Take into account the potential costs of a security breach (organisational, reputational and financial) and examine whether investment is sufficient.

8. Be up-front with regulation authorities and auditors

If the intent of a particular compliance control isn’t applicable to your type of organisation, provide evidence of this and you may be able to bypass unnecessary work and costs.

9. Help shape compliance standards

Get involved with relevant trade bodies and interest groups to help shape the compliance standards that affect your organisation. Most special interest groups and forums welcome input from the industry.

10. Seek professional advice early

Speak to independent industry professionals about how to get the most out of your security compliance budget. Be transparent about your existing compliance challenges so that compliance strategies can be tailored to your specific needs. Also, avoid issuing wholesale tenders, as this often leads to less return on investment and a smaller scope of work.

Ultimately, even if you don’t operate in a heavily regulated industry, it is worth considering the implementation of comprehensive security standards to safeguard organisational and customer data. Given the frequency of public data security breaches today, it might be better to be safe than sorry.

How much do you know about Internet security? Take out quiz to find out!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

4 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

5 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

5 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

6 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

6 hours ago

EU Opens TikTok Probe Over Election Interference Claims

European Commission opens formal probe into TikTok after Romanian first-round elections annulled over Russian interference…

7 hours ago