Compliance is no guarantee of security
The regulatory landscape is constantly evolving. For example tougher new EU data protection laws are scheduled to come into effect over the next year or two. These new regulations will result in non-compliant firms being fined €100m or up to five per cent of global turnover – whichever is the higher. Last year there were 2,164 incidents of data loss. According to a report by Risk Based Security and the Open Security Foundation 72% involved external attackers while 25% were classified as internal incidents, although the latter were attributed mainly to human error and accidents rather than malicious intent.
Yet – often for reasons of cost and complexity – many off-the-shelf compliance solutions on the market today have yet to prove themselves from an ROI point of view. Instead firms commonly choose to meet their compliance obligations by developing their own home-grown methods – often involving spreadsheet questionnaires – to manage compliance programmes such as PCI DSS.
While there is nothing wrong with the PCI DSS standard as a set of controls, it is little more than the basic minimum that an organisation should set out to achieve. It should not be a replacement for solid Business-as-Usual (BAU) security practices. One of the biggest data breach stories of 2013 was at US retailer Target where the personal data of around 110 million customers was reported to have been leaked. It is not clear whether Target was in compliance with PCI DSS at the time it was breached but statistically the chances are that it was not. According to Verizon’s 2014 PCI Compliance Report only 11.1% of businesses globally were fully compliant in 2013.
PCI DSS compliance is based on a single assessment each year. The assessment represents a moment in time, an accurate verdict made at a single point during a twelve month period. It is not a guarantee of compliance for even the following day let alone for any enduring length of time. There is plenty of evidence to show that many data breaches do occur sometime after a successful PCI DSS audit.
One possible reason for this goes back to the spreadsheet. The spreadsheet for all its versatility is simply part of a largely manual process. In a large-scale compliance audit the spreadsheets cut across all kinds of internal programmes and departments, HR, Finance or IT for example. It is almost impossible to gauge the overall status of a large-scale compliance programme without lengthy and painstaking analysis of hundreds of completed responses. Skilled compliance and risk personnel end up being burdened with manual process administration and are given insufficient insight into trends and anomalies to support business decisions.
This absence of automation in a spreadsheet-based approach is its Achilles heel. A lack of shared obligation or team effort places all of the responsibility for delivering results with the compliance officer. At the same time questionnaire recipients are told they have to complete them although they may not fully understand the criticality of the data they provide. Meanwhile as far as their managers are concerned it’s just another job that has to be done. You have no central visibility of your audit’s status and very little control over the compliance process. In short you end up with something that is little better than an exercise in the pursuit of compliance for compliance’s sake instead of focusing on making security the first priority.
Neither off-the-shelf nor home-grown systems are capable of meeting what organisations need most – namely an easy to implement solution that supports existing processes (rather than re-engineering) which has in-built analytics to allow informed decision making based on corporate exposure to risk. With data breaches on the increase, it highlights that organisations in the 21st century need something better than spreadsheets to manage their security processes.
In my experience organisations find standards such as PCI much easier to comply with if stakeholders are able to collaborate in a centralised control-oriented process hosted in the Cloud. This has the immediate benefit of helping organisations automate their auditing process. It also gives them an easy way to devolve responsibility for completing questionnaires or sections of questionnaires to those most qualified to provide the answers and centralise evidence collection. This eliminates any need for lengthy spreadsheet-based programmes and frees up highly skilled compliance and risk personnel from time-consuming project administration.
The ability to bridge the intelligence gap between off-the-shelf and home-grown compliance systems is a real game changer. By giving organisations immediate visibility of the status and greater overall control over their compliance programmes it helps them meet their current compliance demands and makes responding to future changes so much easier. Having a control-centric process that embeds demonstrable working controls into the daily routine keeps it separate from the regulatory standard and makes continuous compliance part of everyday best practice.
In conclusion, I believe a continuous BAU approach to information security is essential. Furthermore a cloud-based software-as-a-service approach can make the transition of existing processes straightforward and extremely cost-effective. Improving the security of your organisation is a better way to safeguard against breaches than relying exclusively on “tick box’ compliance exercises. A continuous approach to compliance puts controls at the centre of the compliance programme, as opposed to relying on an annual audit, where control activity is performed and monitored throughout the calendar year. This approach provides real-time visibility of the organisation’s compliance status – the net effect being more merchants incorporating PCI DSS compliance into their BAU practices and importantly improving the organisation’s security posture.