Day 3 of Incite: Stay out of Jail (Compliance)

Compliance continues to generate tremendous hype, but largely remains a red herring throughout 2006. Smart users will use the compliance word to get funding for critical imperatives (perimeter redesign, identity management) and sufficiently document their processes to keep regulators happy. Those not so smart users figure encryption is a panacea and buy some; ultimately realizing making encryption work on a large scale basis hasn’t gotten any easier.

Ah, compliance. The reigning champion of top CIO concerns, which single-handedly will drive information security growth for the next umpteen years. Can’t you see the vendor mouths watering when checking out IDC’s seminal March 2005 study pegging compliance spending to grow from $7.5 billion in 2004 to over $20 billion in 2009? Well I think they are dead wrong. 

To be clear, I like the IDC guys. Loved them when I was a vendor. Some of them really know their spaces, but to think an issue as far-reaching as compliance is going to be “counted,” either now or in 2009 seems ridiculous. Let’s say I’m implementing an identity management framework, how much of that spend gets counted in “security” and how much in “compliance.” Who knows? And more importantly, who cares?

Compliance as a stand alone line item goes away by 2007. Compliance must become part of the technology fabric. Your systems and infrastructure need to be compliant with the regulations that apply to your business.

But, I’d be remiss if I didn’t mention the arbitrage opportunities here. For a short amount of time, there will be a “compliance” line item and shame on us if we don’t utilize that budget for stuff we really need. So, if you think identity management is going to improve your user experience, buy it. Seems like compliance to me.  If you are worried about your intellectual property being e-mailed out of the organization, get a “leak prevention” device. It’s crystal clear how to make the case that it contributes to your compliance efforts. 

Do you see what I’m getting at? You can utilize that compliance budget to buy the things you really need, but always seem to get cut out at budget time. Don’t feel bad about it either. You are doing the right thing. Most of these things DO in fact help with compliance, and there are lots of side benefits to these technologies as well.

The other thing to focus on in 2006 is documentation. Sure, you can be very secure, but you also need to be able to prove it. So when the examiner shows up, make sure all of your processes are written down and professionally packaged. Make sure you can explain your containment procedures in the event of a situation. Show that you actually practice those procedures. 

Remember, the examiner does not want to crucify you because it means more work for them. But they need to do their job, and they expect you to do yours. Also, don’t freak out if something does happen. Show in pain staking detail how you contained the problem and what changes you’ve made to ensure it doesn’t happen again.

Now let me address the myth of the “compliance panacea.” Or silver bullet.  Or whatever you want to call it. Many vendors will come forward and portray that their product will address your compliance needs. It won’t. Sure it can help, but there is no single product category that addresses compliance. So think about compliance holistically. What kind of information security program do you need in place to prove to an examiner that you are protecting private data? 

What about encryption? Doesn’t that address the needs of compliance? The answer is yes, but only if you can roll it out to everyone and make it easy to use. Remember about that weakest link (Goodbye!), if data goes out unprotected, it can be a violation. So for encryption to be the panacea, it needs to be ubiquitous for everyone that has access to the sensitive data.

Technically, encrypting data is relatively trivial. The technology is mature enough to make that rather straight forward. But, figuring out WHAT to encrypt and HOW to encrypt it is non-trivial. Ensuring that the recipient can decrypt the data easily is outright hard. Making it work on an enterprise scale can be brutal. 

So to clarify the final part of the compliance Incite, a lot of people will buy encryption solutions this year. Most think it will get them well along the path to compliance. A majority will be disappointed with the results.

Compliance is a process. It is not a product. You cannot count it (hear that IDC?). You must be it. And you must have the tools to prove it.

That's Day 3. Tomorrow, we'll discuss some religion around security techniques.