Whether compliance is seen as a distraction or a useful tool, someone has to marshal and present the facts
Unfortunately, the connection between many of the popular business issues and security is still missing in chief executive circles. It can sometimes feel as if they do not want to be bothered with security along with all the other business issues.
Compliance may be the one thing that will change this attitude. After all, it is going to be hard to prove good business practice if you do not know who did what in your book to bill systems. However, this will not change attitudes overnight, so sadly it seems security professionals are going to have their work cut ensuring that a systematic and methodical approach is taken rather than just a quick point-fix.
Currently, compliance is seen as synonymous with bad news; unnecessary, extra work and a task to be handed to someone to do at the lowest possible cost. But why is compliance necessary and what is it exactly? Is it some external requirement, or the
re-establishment of some well-respected internal procedures that are being breached by a changed trading and technology environment?
Compliance is, or should be, the act of re-establishing processes in a manner that is suitable and appropriate for the faster, online trading environment that increasingly reflects the way business is done today. However, it is not only the medium of the processes that has changed, nor even the speed, but also the sheer number of people, companies and fraudsters that are able to use the medium to do business.
Back at the beginning of the popularity of the internet and the web, a popular comment was "on the internet no one knows you are a dog". It was a positive endorsement of the ability of small businesses to do business without the constraints previously placed on them by location or physical facilities.
Today, perhaps, the term could be re-applied in any number of ways, most of which should be deeply concerning, varying from the obvious "no one knows you are a crook", to the less obvious "no one knows if you really have the authority to do this".
Historically, local businesses, or those with long established partners, had personal relationships, and they established preferred supplier relationships over time. But the need for the lowest price, the quickest reaction and the fastest delivery has replaced this process almost entirely. Do we really think good business is to do business with those we do not know?
The argument in favour of proper identity management is obvious, but what exactly is proper identity management? It is not enough to be able to confirm an individual is an employee. The individual's authority in relation to the nature of the transaction must also be clear to authenticate it. Put another way, the contextual identity in a procedural process is required just as it always has been and it is the auditor's role to check that this is in place.
So, is compliance good business sense, or forced external interference? If it is good business practice it needs to be aligned with overall business activities. This must be done by implementing a properly thought-out structure that will manage all aspects of the business, internal and external. The technology is generally referred to as security technology and not business management technology, and this seems to be more of an issue than it ought to be.
As more "book to bill" processes move towards electronic interaction, the issues become more pressing and the demands of the auditors will also increase as they look to see the necessary improvements in securing processes.
A firewall and denial of access is simply not going to work as more and more transactions become blurred between the external and internal elements of what is in fact a single long running process between two trading partners. Security has to be focused around the process and not the enterprise - this is the so-called boundaryless information flow being defined by various vertical industry sectors.
The need to do a financial status check and managing credit limits to help make trading decisions is something that has been done for years. But the growing dependence on external data, which is compiled rapidly into business trading information, places a new emphasis on the reliability of partners' data. There is also a rising worry of what they may do with the data they get from these partners.
Looking ahead it seems likely that an equivalent audited check on a potential partner's processes with the management of individual authorities will be equally important. This will ensure that those you become dependent on do not end up being the most dangerous to your enterprise's wellbeing. The need to understand a partner's processes and controls are seen as compliant to their auditors seems likely to become as important as a credit check.
So is it security or good business practice? Is compliance a distracting cost, or an enabler of improved management? In the end it is the chief executive and chief financial officer who will have to make the decision, but it is the chief information officer and his team that will need to make sure that the full facts and implications are made clear in a business comprehensible manner.
Andy Mulholland is global chief technology officer at Capgemini