Kevin Foster, testing services manager, MTI Technology, explains how to get the biggest bang for your buck when it comes to security
If anything has become clear over the past year, it’s that data security risks are real for organisations – and they’re only getting worse. From Ashley Madison to the recent Carphone Warehouse hack, security breaches have become commonplace and increasingly played out in public. Gemalto’s 2014 Breach Level Index showed that 1,541 IT breaches occurred globally in 2014 (up 46 per cent from 2013), with more than one billion records breached for the year.
The regularity of these incidents is forcing IT decision-makers to re-examine their security and compliance activities. Should organisations be doing more to secure data, or are breaches simply inevitable?
If you’re responsible for security, it’s worth considering whether you’ll still have a job if your business is publicly hacked due to your decisions. While investigators are still looking into whether the Ashley Madison was subject to a compliance regime, we’ve already seen the company’s CEO, Noel Biderman, resign. The consequences can, no doubt, be extreme.
Problems often stem from organisational attitudes towards security and compliance. Many businesses treat security and compliance activities as simple box-ticking exercises. Emphasis is placed on doing the bare minimum, with limited regard given to the intent and benefits of compliance.
This mentality is problematic, as it means security measures are deployed ineffectively, time and money is wasted, and decision-makers are unable to discern return on investment (ROI). A ‘mere compliance’ approach sees compliance become the enemy.
The organisations that see real benefits are those that go beyond mere compliance. They recognise the critical role that security assessments, penetration testing and ethical hacking projects can play in protecting enterprise and consumer data. Most importantly, they use security compliance budget in a way geared for optimisation.
But how can IT decision-makers ensure that they’re maximising the value of their security compliance budgets? Here are 10 tips to consider, courtesy of Kevin Foster, testing services manager, MTI Technology:
1. Link to business strategy
Avoid framing requests for resources and budget in mere ‘compliance’ terms, and highlight how compliance activities align with business goals. If you can effectively position how the activity supports organisational strategy, you’ll boost your chances of getting support.
2. Examine processes and outsourcing
Can you change organisational processes to reduce the areas that require compliance? If you can minimise the areas that require compliance controls, you can do a quicker, cheaper and better job over a smaller footprint. In addition, consider whether there are cost-effective options for outsourcing compliance to proven, qualified third parties.
3. Allocate budget strategically
If budgets are stretched, it’s worth considering big budget cuts to a small number of organisational areas. Doing so will enable you to funnel resources towards priority areas, as opposed to spreading resources wafer thin.
4. Emphasise balance
Particular compliance activities can dominate the IT budget and agenda, leaving other important activities neglected. This type of imbalance can see smaller problems accumulate and become much bigger and more costly over time.
5. Join up compliance
Time, money and resources can be saved by aligning IT and security compliance work-streams. Doing this can allow IT departments to address multiple, overlapping standards at the same time – boosting efficiencies. For example, there are many controls and concepts from the Payment Card Industry Data Security Standard (PCI DSS) that are also required by the Data Protection Act.
6. Security service level agreements (SLAs)
When procuring new IT solutions and third-party services, always try to include security SLAs. This will help to ensure that new systems entering your environment remain covered, secure and compliant over time. So, for example, if a new application fails a penetration test, your organisation isn’t the one needing to pay for upgrades or re-coding work.
7. Be honest and transparent
If the budget allocated isn’t adequate to do the job properly, let your stakeholders know that you can’t sign-off the scope-of-work. Take into account the potential costs of a security breach (organisational, reputational and financial) and examine whether investment is sufficient.
8. Be up-front with regulation authorities and auditors
If the intent of a particular compliance control isn’t applicable to your type of organisation, provide evidence of this and you may be able to bypass unnecessary work and costs.
9. Help shape compliance standards
Get involved with relevant trade bodies and interest groups to help shape the compliance standards that affect your organisation. Most special interest groups and forums welcome input from the industry.
10. Seek professional advice early
Speak to independent industry professionals about how to get the most out of your security compliance budget. Be transparent about your existing compliance challenges so that compliance strategies can be tailored to your specific needs. Also, avoid issuing wholesale tenders, as this often leads to less return on investment and a smaller scope of work.
Ultimately, even if you don’t operate in a heavily regulated industry, it is worth considering the implementation of comprehensive security standards to safeguard organisational and customer data. Given the frequency of public data security breaches today, it might be better to be safe than sorry.
How much do you know about Internet security? Take out quiz to find out!