Few things besides regulations are making companies plunk down dollars for infosecurity. While compliance will...
surely help a company's security posture, it may not make it secure enough.
Regulations such as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and California's SB 1386 all have requirements that touch upon security. Failure to comply will open companies up to fines, civil lawsuits and, in extreme cases, criminal charges.
In many ways, regulatory compliance acts as an ad hoc security standard. Companies can use the regulations as a roadmap for their security investments. "Without tools you are not going to know what good security is," said Pete Lindstrom, research director at Spire Security.
No regulation, however, explicitly lays out that a company should use 128-bit encryption or update antivirus signature files in a particular time frame. The laws are more focused on the planning and process needed for protecting certain classes of data.
For example, Sarbanes-Oxley isn't specifically about security -- or technology for that matter. The law was passed in the wake of corporate governance scandals in the United States. It requires CEOs and CFOs of publicly traded companies to sign off on their company's books. Security comes into play because the law requires the executives attest to company internal controls, which hits squarely upon security.
Now, few would argue regulations will create a security Shangri-La. For starters, the security requirements of the laws aren't necessarily that high. "If you have a great security program, then you should meet all the requirements," said Mark Doll, director of Ernst & Young's security and technology solutions practice for the Americas.
The opposite, however, isn't true. A company that complies with regulations doesn't necessarily have a great security program. "Regulations won't create the best security programs but none would fail greatly," Doll said.
Both Doll and Lindstrom warn companies need to look beyond the requirements for regulations if they want a great security program. "There is plenty of room to fall flat on your face," Lindstrom said. For example, HIPAA requires companies do risk assessments to justify their security measures. If a company decides to not do something because of its risk assessment, there is nothing to stop the government from coming back and saying, "That's wrong. You should have done it," he added.
"If companies only focus on regulations then they will be too caught up on the trees to see the forest," Doll said.