Infosecurity 2008 - Complying with security regulations is not enough

The various legislation and industry standards that require businesses to protect sensitive data may drive us all a little nuts - the extra expense, investing the time to understand the new rules, business disruptions during the deployment process, etc.

The various legislation and industry standards that require businesses to protect sensitive data may drive us all a little nuts - the extra expense, investing the time to understand the new rules, business disruptions during the deployment process, etc.

However, data protection legislation such as PCI DSS is positive, and implementing good security guidelines will help any business reduce the opportunities for a criminal to conduct a successful hack attack, writes Gordon Rapkin, CEO of Protegrity.

Unfortunately, simple compliance with data protection regulations is never enough to truly protect captured, transmitted and stored data adequately. Businesses which are focused solely on achieving compliance may decide not to deploy the more sophisticated schemes that would make their systems truly secure.

Many regulatory data protection guidelines are basic best practices, no more and no less. Many organisations make the huge error of reacting - designing their security and compliance issues solely in response to breaches or regulatory demands. True security is proactive.

Reactive responses tend to result in disparate data security and privacy projects which leave substantial security holes as data moves among (or is shared by) multiple platforms and applications. Failing to treat the protection of confidential data as an enterprise-wide, proactive strategy produces needlessly high costs and less-than-optimum security.

To get the best return on a security investment, businesses should be thinking of data security management as an ongoing enterprise-wide strategy. Security is a process, not a project. Focus on developing strong defences against agreed-on risk analyses and threat profiles, rather than on meeting the demands of specific regulations.

True security should be holistic - a comprehensive data-driven plan that includes technology, policy, processes and people. Data flows through a company, into and out of numerous applications and systems. This flow, in its entirety, is the focus of a holistic approach to data security. Think of your network as a municipal transport system. The system is not just about the station platforms. The tracks, trains, switches and passengers are equally critical components. Many companies approach security as if they are trying to protect the station platforms, and by focusing on this single detail they lose sight of the importance of securing the flow of information.

Simply following the letter of the law ensures that your organisation may technically be in compliance, but actually not very secure. Security measures that aren't understood and fully embraced across the entire enterprise can, and will, be circumvented. As you plan, implement or refine your data protection plans don't stint on ensuring that employees understand the importance of keeping customer information secure and protected.

We can't rely on applications to do all the work for us and we can't just throw money at the data security technologies and hope risks will go away. Smart policies, procedures and people are just as important as choosing the right security solutions. This holistic approach to security is far more powerful than the fragmented practices present at too many companies.

Focusing on developing a comprehensive data-driven holistic protection plan rather than continually struggling to achieve compliance with current regulations allows you to think strategically, act deliberately and get the absolute best return on your data security investment.

>> Computer Weekly Infosecurity 2008 show guide and preview




This was last published in April 2008

Read more on Privacy and data protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close