Security Think Tank: How businesses can achieve compliance and security (Part 6)

What can businesses do to make regulatory compliance a priority without losing focus on security basics?

Someone of note once said (or was it me) that “the ultimate purpose of information security is to effect a successful legal outcome from the breaches that will inevitably occur”. 

Back in the day when we confidently assumed we could defend our organisations against just about any external threat, this sounded like an unfairly pessimistic statement. But today’s daily roll call of high-profile breaches, failures and resulting fines make this after-the-fact goal for security more relevant than ever before.

Looking at this "legal purpose of information security" from a preventative angle, we find the security of information is, and has been for many years, at the core of nearly all legal and regulatory compliance objectives. 

Everything from Payment Card Industry (PCI-DSS) standards to data protection and compliance with sector-specific regulations such as Financial Services Authority rules, all depend on having adequate security in place and working effectively. 

When security fails, so does at least one aspect of compliance, and the resulting publicity and sanctions hit the business and its public reputation.

Standard security measures

So if we had to choose just two areas of focus for our security efforts to affect the most effective compliance with legal and regulatory compliance, while also minimising any legal or reputational fallout from breaches, what would they be?

Costs can be driven down and efficiency increased by aligning a standard set of security measures across all risk functions in the business

Adrian Wright, Information Systems Security Association, UK Chapter

Having said that information security is core and common to a wide range of internal and external compliance objectives, there is an economy of scale to be had in federating your security controls across the various risk "silos" within the organisation. 

For example, the data protection function will have policies in place calling for specific security controls and procedures to protect personal data. Similarly, other risk functions, such as PCI, legal, compliance, HR – the list goes on – will have policies calling for the same or similar security measures. 

So rather than continually reinventing the wheel, costs can be driven down and efficiency increased by aligning a standard set of security measures across all risk functions in the business.

One good starting point is to take all applicable legal and regulatory targets and cross-map the security requirements from all of these to a master set of security policies and controls. This exposes any gaps or duplication, either in policies or actual controls, and saves wasted effort and employee time, while improving the overall effectiveness of organisational security.

Incident management

Looking at some of the most damaging recent breaches – Sony, RSA and others – we can see that much of the reputational damage, disruption and consequential loss have been down to poor incident and public relations management in each case. 

Spokespeople either not coming forward or conflicting statements being released at various times while critical services remain down suggest the levels of internal confusion that must have been going on. 

Despite these increases in major incidents and warnings from experts that any security measures can now be defeated, information security is still tending to focus its investment in preventative measures rather than planning to manage incidents well. Breaches will occur no matter how good your defences are. Accept that and pre-plan for it.

My top tip here would be to collaborate with senior management, legal and corporate communications people ahead of any disaster to pre-draft press statements, decide who does what and get it all agreed and approved up front and built into the incident plan. Get key spokespeople press trained.

Trying to do this on the fly after a major incident strikes is a disaster in itself – just waiting to happen.

Adrian Wright is director of projects for the UK Chapter of the Information Systems Security Association

Read more on Privacy and data protection