- Security TWENTY
- Women in Security Awards
According to Verizon, in the ten years it has been producing its PCI Compliance Report, none of the organisations that suffered a data breach were fully compliant at the time, writes Javid Khan, pictured, CTO, Pulsant, a business cloud platform company.
What this clearly demonstrates is that compliance is not only a critical element of business, but can present a major challenge to its ability to thrive — particularly IT compliance. Despite common misconceptions, maintaining compliance is not just important for those in heavily regulated industries, but affects organisations throughout the public and private sector. It is not simply a case of achieving IT compliance and moving on to the next task either, compliance needs to be continuously maintained if you don’t want to fall foul of increasingly large fines. A case in point is the impending European Union (EU) General Data Protection Regulation, where companies in breach of the stringent regulation face fines of up to 4pc of global annual turnover or 20m euros, whichever is greater.
Organisations are affected by change. We all know this. But when it comes to maintaining compliance, it becomes increasingly difficult in the face of internal change (like expansion) and external shifts in the market and compliance landscape. The impending GDPR has opened the floodgates to uncertainty, so much so that almost every organisation is asking the question: am I compliant? Do I need to be? For the most part, compliance is an organisational commitment that spans both technologies and processes. It forms part of a governance regime that embodies good practice and makes commercial sense. A key part of implementing a framework, though, is understanding that it is an ongoing endeavour.
Continuous compliance is something that many modern businesses are already doing in some form. However, there are several barriers to it being done effectively. Size, growth and understanding of compliance remain the largest. Firstly, the sheer size of risk management and compliance frameworks are difficult to manage. Secondly, an organisation is influenced by internal and external changes that it has little control over. Lastly, there is a tremendous lack of understanding over what compliance actually means and what it applies to. There is also a burgeoning skills gap. IT teams often don’t have the right skillset to ensure cross-organisational compliancy and suffer from not having the necessarily broad industry view that would provide an understanding of what other similar organisations are doing to overcome compliancy issues.
The aim of regulation is that it is a regular, ongoing endeavour that caters for changes in the wider market, as well as in the business itself. And maintaining this compliance is essentially managing this change. Organisations will likely have a myriad of technology solutions at their disposal already, so an important starting point is to review these existing tools along with the regulatory requirements they need to adhere to. Once they have a complete view of their technology estate, businesses can optimise their existing investment and ascertain whether additional tools will be required. For an IT team’s own sanity, it is important to use tools that provides them with everything they need to know about their compliance in a single dashboard. The good news is because there is generally a significant amount of overlap between various regulatory frameworks, if they become compliant with one, the chances are that meeting compliance on the next one, won’t be as complex.
It is important that stakeholders have accurate and timely information at all times. By maintaining a dynamic configuration management database (CMDB) they can track their IT estate 24/7 and trigger alerts in real time. Using pre-defined rules and bespoke policies, solutions available today can continuously pull information and check it against controls to identify any instances of non-conformities. Because of the disparate systems typical in a modern, global organisation, it is important that whatever solution they choose can read, process and analyse configuration data from multiple data sources. These could be anything from operating system logs, software configuration, applications, cloud platforms, such as AWS and Azure, to other compliance tools.
A path towards acceptance
We are all aware of the benefits that cloud computing brings to business. While historically there were concerns about security, that has all but disappeared on its path towards widespread acceptance. Businesses large and small have increasingly moved processes to the cloud and reduced their capital expenditure in one. The cloud isn’t a hidden landscape, rather, it offers a tremendous amount of transparency. While in 2018 compliance may be challenging, it is achievable. So is continuous compliance, something that can add significant value to a business wanting to thrive in a global marketplace. The use of the right platform, supported by a team of experts, can go a long way towards removing the complexity from the process of complying in the first place, as well as maintaining it.