In the last few months, I have been meeting with a variety of CISOs who share one universal concern: legislative compliance. I realize that this is not a newsflash. However, the one issue that is less obvious is that the job of the CISO is becoming one of keeping auditors happy. CISOs have little discretionary budget or time to make any improvements that are not directly related to HIPAA or SOX compliance.
Clearly CISOs are fighting fires. They are investigating incidents, attending meetings, gathering support for their efforts, etc. However it seems as though the remainder of their time and budget is spent on worrying about regulatory compliance. This means that there is less and less discretion available to them as to how to better improve the security of their organization in the future. For some companies, this is not necessarily a bad thing.
Regulations require that companies protect the integrity and confidentiality of specific types of information. This implies that computers must be appropriately secured, and executives can theoretically go to jail if the information is compromised. This turns security from an organizational "should" into an organizational "must."
MORE INFORMATION ON REGULATORY COMPLIANCE:
- How much do you know about IT laws and regulations? Find out with our
- quiz on compliance.
- Learn some best practices for managing compliance with security standards.
- Read more about how compliance is driving security investments and the associated dangers in this article.
There are a few catches though. What is actually a "must" is what your auditor says is a must. Security requirements for SOX and HIPAA are extremely vague. Auditing firms that determine whether a company is in compliance have a great deal of discretion. Some auditors might be less strict than others. For example, some auditors might only examine the policies and procedures in place to see if they are being followed. Others might require a detailed hands-on assessment to verify that the procedures actually result in strong security. That is a major difference and significantly affects the scope of the audit. As long as the company hires an auditor in good faith and follows the guidance of the auditor, the company is performing due diligence and is in a defensible position in the eyes of the law, should a security breach take place.
The reality is that most reputable audit firms will be relatively thorough in their reviews. The assessments will be detailed, and that takes a lot of time. One CISO I spoke to stated that given the size of his organization, by the time the company finished the SOX assessment for this year, he has to start the assessment for next year. There is little room for implementing any discretionary programs.
This is not a unique situation and frankly, for most companies, this is a major improvement. Companies now have people ensuring that they implement adequate controls, or at least arbitrarily-determined adequate controls. HIPAA and SOX are positive things for most companies and help most CISOs justify their programs to management.
Unfortunately, the more security progressive companies will be most hurt. They will have to divert their resources for ensuring compliance, instead of continually improving their security posture at their own discretion. CISOs may even have problems getting new efforts funded if they cannot prove the efforts are required for compliance.
To address these concerns, CISOs should milk SOX and HIPAA for all that they are worth. State that new security efforts will be required for compliance. Also, CISOs should work with auditors to figure out what can make compliance assessments go quicker, and if there is anything they can implement, such as scanning tools, single sign-on, token authentication, etc., that will eliminate significant pieces of the assessment.
The vast majority of CISOs can now use regulation as a way to justify security improvements to their management. Security is now a Must, not a Should. I am not claiming HIPAA and SOX requirements are perfect, but they are a reality. Unfortunately legislative compliance might become your only focus, if you don't plan accordingly.
About the author
About the author Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.
This was first published in July 2004