Compliance costs not slowing down - technology automation to the rescue

Deloitte - Navigating the Compliance Labyrinth offers some great tidbits from recent surveying of financial executives.

• Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
• Primary costs continue to be driven through applying people, not technology to the problem.
• and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

Forget the name of the segment (e.g., GRC, IT-GRC, ERM, VM). The bottom line is taking a process management based approach with technology. Commercial solutions (not home grown) that offer enterprises the opportunity to leverage technology automation to reduce people doing mundane/manual tasks producing the result of reduced compliance costs!

Another security breach, but this one is different...

Late last week I saw the news around local JC Penney's hit the wire - "Data of 650,000 customers at risk." Now this situation appears completely different then TJX. The data, and I assume the protection of that data, were outsourced.

So this begs the question - should it be a requirement for vendors providing services to enterprises that would include sensitive data be certified against ISO 27001?

Here is a great write-up, case study I came across of a vendor doing this. Just like we expect vendors to achieve specific Service Level Agreements on availability, performance...shouldn't we be doing the same things around security and risk?

So much to read, so little time - Top Information Security Risks for 2008

Now this is impressive! It's going to take a while to read the supporting reference documents, but this summary is gold and from my perspective a must read for IT Risk Management.

In the primary summary document, "Top Information Security Risks for 2008" we get an impressive laundry list of threats & vulnerabilities, their impacts, the risk and the controls. Page 5 talks of specific risks, some can be addressed with various technical control product on the market, example: #2 - Information Leakage. If you want to get down and dirty understanding these products spend some time with Rich over at securosis, specifically his blog entries and the summary which formed this white paper around understanding & selecting DLP solutions.

This section also highlights non-technical controls, audits etc in #5: "poor information security studies, risk assessments, projects/assignments and/or staffing/organization, causing failed, wasted, excessive or otherwise inadequate controls and practices selection, implementation, performance measurement, monitoring and/or auditing." Wow, that's a mouthful! But this is exactly what IT GRC is all about. Through using these software platforms you can evolve from poor, ad-hoc attempts at mitigating this risk while ensuring your enterprise takes a comprehensive, top-down look at any and all potential risks and assess their potential impact. If you then go down to #1 in the controls section of the document you will see what in my eyes is basically an advertisement for an IT GRC solutions and the process around deploying it, "investment in a good and systematic ISMS (Information Security Management System) incorporating high quality information assurance processes..."

A key statement back in #5 of risks that I was surprised to see was the calling out of "excessive" controls. This is something we at Securityworks (especially Bryan) are passionate about. Some vendors in the IT GRC space believe in throwing the entire "book of controls" at it, and you will be fine...we believe its about making sure you have quality controls in place, not simply quantity. Bryan has talked about this previously.

2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions!

I keep thinking I'm going to be able to move onto other topics related to IT Risk & Compliance management but it's hard to when my blog reader keeps popping up more and more articles and postings which talk about 2008 predictions and how GRC and IT GRC are going to be the "in thing" this year for IT Security groups.

IT & Compliance: 5 Big Predictions for 2008 hightlights "...Managerial evolutions, such as process-centric IT and better application of risk-management principles to information security management, will help companies refine and streamline IT governance and compliance."

The post continues on later with two of the five predictions hitting on capabilities or features of IT GRC products.

2008 - The Year of IT Risk Management, Part 2 - Rise of IT GRC

The customer success stories, industry partnerships, market predictions, etc. drumbeat for IT Governance, Risk and Compliance Management (IT GRC) continues to get louder and louder. Just caught this article over on TechTarget "Security Management 2008 - What's in Store." About halfway through Mike highlights the GRC space.

-snip-
Hopefully, security professionals will finally come to grips with the discipline that is preparing for an audit, which will result in an opportunity for vendors that provide so-called GRC products -- glorified reporting and workflow packages meant to automate the compliance process. These products allegedly automate the data gathering and reporting processes, so managers don't have to spend days (or weeks) preparing for the audits. Clearly that is a problem for security professionals that should be doing something more productive than preparing for an audit. It pains me to think that we'll need to implement yet another point product to solve a problem, but it is what it is.
-snip-

Even though skeptical, I'll take that as an endorsement for GRC in 2008! Mike give us a shout if you would like a demo, discussion and even an introduction to talk to customers using it.

2007 was a great year of education on the value of IT GRC and we hope/expect 2008 to be where customer implementations of this security automation take off! The ROI and team efficiency gains are tremendous, it also reduces the headaches and frustrations security team members get when having to prepare for audits.

Oh yeah, here is part one of this blog title "2008 - The Year of IT Risk Management" just in case you missed it.

How aware are your employees on IT security and risk policies?

Nice read that highlights 10 area of risk that should be in focus for 2008. One that really jumped out which we are starting to hear more about here in the IT-GRC space is awareness and training of employees on security and risk situation.

-snip-
Employee and Customer Awareness It’s something everyone intends to do – better educate their employees and customers about the security threats that are facing institutions and customers. Now with the ID Theft Red Flags, it’s also been pushed to the top of the compliance list. Institutions by Nov. 1 must have a written program showing how they are educating their employees and customers about identity theft.

American Banker Association’s Doug Johnson, senior policy advisor for the largest industry association, lists this as one of the top risk management issues for 2008.”Increasing your institution’s security awareness pays off in several ways -- employees learn how to protect the data they’re working with, and their awareness reduces the threat of the insider threat (either malicious or unintentional),” says Johnson. Many times the malicious insider can be stopped, if the people working with them are trained and are aware of the red flags that show the work habits and behaviors of a malicious insider. Do your employees know what to look for, what indicators there are that an insider is doing something on your networks or to your institution’s data?
-snip-

A new thing to many that was mention in here was "ID Red Flags." Federal ID Red Flags are suppose to be in place by November 1, 2008 (about 10 months from now). These rules (announced in November) implement section 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Basically, each financial institution’s Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.

Part of this process is prevention. One of the best ways to prevent something is through education. By having automated capabilities that require each employee to read what is expected of them in helping prevent Identity Theft. IT-GRC automation can help with this in automating this policy dissemination and acceptance tracking for owners of any company IT resource that may contain consumer identity information (e.g., from server owners, to laptop owners and beyond).

2008 - The Year of IT Risk Management?

I've been busy over the holidays enjoying everyones blogs and articles recapping 2007 and making predictions for 2008. Among other things highlighted in those articles, a common point pertains to Securityworks around "true" IT Risk Management (what I mean by "true" is the message is coming from companies who didn't adjust their marketing to be en vogue - e.g., SIEM products or Vulnerability Assessment products).

Before IT Risk Management was "cool" Securityworks has been out their working away on it (for over 4 years now).

One of my favorites that highlights this prediction for 2008 is over at Rational Survivability.

-snip-

Compliance stops being a dirty word & Risk Management moves beyond buzzword
Today we typically see the role of information security described as blocking and tackling; focused on managing threats and vulnerabilities balanced against the need to be "compliant" to some arbitrary set of internal and external policies. In many people's assessment then, compliance equals security. This is an inaccurate and unfortunate misunderstanding.

In 2008, we'll see many of the functions of security -- administrative, policy and operational -- become much more visible and transparent to the business and we'll see a renewed effort placed on compliance within the scope of managing risk because the former is actually a by-product of a well-executed risk management strategy.

We have compliance as an industry today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.

What's traditionally preventing the transition from threat/vulnerability management to risk management is the principal focus on technology with a lack of a good risk assessment framework and thus a lack of understanding of business impact.

The availability of mature risk assessment frameworks (OCTAVE, FAIR, etc.) combined with the maturity of IT and governance frameworks (CoBIT, ITIL) and the readiness of the business and IT/Security cultures to accept risk management as a language and actionset with which they need to be conversant will yield huge benefits this year.

-snip-

Well said (but then again I'm biased)!