Compliance is one of the biggest drivers of information security initiatives, according to a TechTarget survey of U.K. information security professionals. However, despite the findings, industry observers believe that compliance efforts aren't necessarily making organizations more secure.
With the Data Protection Act deadline that passed in early April and the upcoming Payment Card Industry Data Security Standard compliance deadline, organisations are being forced to consider compliance efforts as a part of their everyday dealings.
The survey, taken at the end of 2009 by 150 U.K.-specific information security pros, solicited information about proposed 2010 information security budgets and spending. Approximately 36% of those surveyed identified compliance as a major concern within their organisations.
According to Ian Kilpatrick, chairman of Surrey-based value-added distributor WickHill Group plc, that 35% figure may not be high enough. With the Information Commissioner's Office publicizing data breaches from as recently as March 2010 on its website, he believes compliance efforts still aren't improving security in many organisations.
"The biggest single issue with compliance is the whole concept of compliance," Kilpatrick said. "People look at this as a problem they have to deal with, rather than caring really deeply about their data." Kilpatrick said companies look at compliance as an expensive project, when in reality they should be treating it as an opportunity to protect sensitive data.
Budgets are, however, a real concern for many organisations, as 41% of respondents said their compliance budgets were flat year-over-year. Rather than tackling compliance efforts as a huge one-off cost to companies, a better way to look at it is to take it one step at a time, according to Paul Simmonds, a Jericho Forum member.
"It doesn't matter if it's PCI DSS or the Data Protection Act -- probably 80% of it is good, basic security practice," said Simmonds, who is based in London and works in the pharmaceutical industry. He said people can get hung up on new and complex technologies or trends. But basic security measures, such as laptop encryption, need to be implemented to best protect data, and in turn become compliant.
Stuart Brameld, technical director at London-based Nebulas Solutions Group Ltd., believes the key to ensuring that compliance efforts help improve data protection lies in "being able to take advantage of multiple functionalities on a single piece of hardware." This enables companies to avoid paying for a multitude of products, and receive the benefits of several security functions. Brameld cited unified threat management (UTM) products as an example of this kind of multifunctionality.
Kilpatrick said he suggests reducing the dependence on what he calls trigger security devices, and installing a security information management (SIM) system or a unified threat management (UTM) product.
"If you can centralize the information into one console, then you're in a position where you can reduce staffing costs and deploy security individuals to other necessary security projects," he said. As it is now, too many companies have talented security staff reading logs, looking for events, Kilpatrick said, when an automated system could be doing that for them, freeing them up to use their talents elsewhere in the organisation.
Kilpatrick also mentioned that companies that believe in protecting their data are much more proficient than companies that only do something because they must, usually because of compliance. This mindset can prove valuable when it comes to the Data Protection Act, as well. "The Information Commissioner's view is if you've done the right things and you have a breach, he'll view that differently from those that have not done the right things."
One thing to remember is that employee education can play a large part in compliance efforts, as well, according to Simmonds. Unencrypted laptops or USB drives can cause serious security issues, but employees, he said, may not know that.
"People generally want to do the right thing, and security people should help them to do the right thing, in the right way," Simmonds said. "Get the basics right, get the education right and train people."