The march towards greater regulation and adherence to compliance has created a set of challenges for organisations and their IT departments, while also delivering a cultural shift with regards to how they treat data and quantify the need to secure it.
As always, there is a balancing act to achieve between meeting compliance and security expectations, while also keeping the business functional.
If security is too stringent, productivity along with adherence will fall as staff spend too long either achieving compliance, or trying to circumvent it.
Too lax, and the organisation will expose itself to financial and reputational risk in the event of a data breach, productivity will fall as systems are disrupted by security exploits and user adherence will decline, as they simply do not bother to comply with policy and regulated activities.
Achieving just the right balance so that security is tight, compliance is met and users are able to work productively in the security and compliance framework is the Holy Grail, but also an achievable one.
The easiest way to balance the business need for network and application access with security and regulatory requirements is to first recognise the underlying trends:
- In the new era of hybrid IT where IT teams operate an internal market model that sees them serve as both the service provider and the broker, one has to rethink how to balance the business needs with regulatory requirements.
- In the age of BYOD (bring your own device), it is not the wall of the datacentre but the unsecured mobile devices that becomes the vulnerable end-point of businesses.
- With shrinking datacentres either being outsourced to external facility operators or completely evaporated into the cloud, the new perimeter to secure in terms of end-point security now extends to remote control smartphones and tablets, devices and platforms where regulations are still in their infancy.
- Access to the network and its applications in terms of authentication, authorisation and auditability are a tipping point because heavy-handed regulations tend to make access cumbersome, whereas lighter regulations fail to protect the privileged resources.
Read more on access versus security
The pragmatic way to define the business need for network and application access with security and regulatory requirements is to piggyback on the foundational work done by professional organisations such as the UK chapter of the Information Systems Audit and Control Association (ISACA) and the Communications Electronics Security Group (CESG), the information security division of the UK government’s intelligence service.
Both are examples of organisations that have developed and shared frameworks and best practice for effective implementation and adherence to security and compliance policy.
The ISACA is one of several organisations offering certification programmes for information security managers, a step to ensure knowledge can be fostered in the IT department and disseminated into the wider organisation.
Working with these and other industry bodies, as well as through peer review, organisations can understand the pressures faced by others, along with their solutions and approaches, using that to help formulate an effective framework for meeting security and compliance obligations that fit in with efficient workflow. Ideally, security and compliance should be part of workflow, rather than being treated as an inconvenient or time-consuming add-on.
Dipto Chakravarty is executive vice-president of engineering and products at ThreatTrack Security