A wave of new laws and regulations is forcing company boards to re-examine their compliance strategies, says a cross-industry security think tank.
Organisations have to get much more serious about compliance, according to the Security for Business Innovation Council, run by RSA, the security division of EMC.
Companies are facing greater enforcement, the global spread of data breach notification laws, increasingly prescriptive regulations, and growing business partner requirements, the council said in its latest report.
The report outlines a landscape in which highly-motivated legislators are escalating information protection mandates due to a steady stream of massive data breaches.
Enforcement of existing regulations is being tightened through expanded powers, higher penalties and harsh enforcement actions.
Organisations in Europe are facing the upcoming overhaul to the EU Data Protection Directive, which is expected to include increased enforcement and breach notification.
In future, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle, said Art Coviello, president of RSA.
Regulators are moving away from light-touch to more interventionist regulation, said Stewart Room, partner at law firm Field Fisher Waterhouse and contributor to the report.
He predicts a continuing trend towards more frequent regulatory intervention and more litigation relating to data protection.
The new era of compliance ratchets up the challenges facing information security teams, the council said.
The report includes recommendations to help organisations meet the demands of the new compliance landscape.
The council's recommendations for compliance
• Embrace risk-based compliance: Build an effective enterprise program that provides everyone in the chain with all the information needed to make risk decisions.
• Establish an enterprise controls framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.
• Set your threshold for controls: Determine the "right" level of security controls and gauge the prevailing industry standard to meet the legal requirement.
• Streamline and automate compliance processes: Establish an enterprise governance, risk and compliance strategy.
• Fortify third-party risk management: Move away from "boilerplate" security agreements and toward comprehensive third-party strategies.
• Unify the compliance and business agendas: Develop the organisational structure to embed compliance into the business and align it with the organisation's goals.
• Educate and influence regulators and standards bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules.