No escape from the regulator
- Article 27 of 33
- SC Magazine, August 2011
Nobody likes having someone looking over their shoulder and telling them how it's done, but this is the reality for CISOs in a tough regulatory environment. By Rob Buckley
Page 1 | Page 2 | Page 3 | All 3 Pages
Whether they work in traditionally regulated industries such as healthcare and telecoms, or a less-regulated environment such as retail, the work of CISOs is being thrust under the spotlight and subjected to numerous requirements related to governance, risk and compliance (GRC).
While the likes of Sarbanes Oxley and the Data Protection Act have been around for years, recent additions to the list of GRC standards include the UK's Good Practice Guide 13 and Bribery Act, and the US's whistleblowing legislation the Dodd-Frank Act. There are, in fact, too many to mention in this article, even if we ignore individual states' breach disclosure legislation, the numerous EU directives and other country-specific laws.
This compliance burden has been increasing steadily over the past decade or more, but only recently has it been taken seriously by many organisations, thanks in part to fines imposed and action taken by the regulators. "There are now serious implications of not taking appropriate actions," says Jeff Schmidt, executive global head of business continuity, security and governance at BT Global Services. "The CFO and CEO can go to jail now."
Martin Landless, technical director, international at LogRhythm, explains: "There's now a definite push to adopt compliance regulations. It used to be enough to say you were working towards compliance. It was like a 'get out of jail free' card, but that's not satisfactory any more."
No excuses
The PCI DSS rules, once easy to avoid, particularly for small companies, through either self-assessment or using the excuse above, are now being enforced; other agencies, including the Information Commissioner's Office, are also looking to make examples of companies in breach of regulations.
Most compliance legislation, however, doesn't involve harsh penalties - and for many companies, particularly those in the financial services and defence sectors, the fines that do exist are not large enough to worry them. Of more concern are the reputational issues.
"The media is making organisations sit up and pay attention. That exposure is more crucial than financial penalties," says Martin Knapp, managing director of Mycroft Talisen, which provides cyber security and IT governance services to the defence and aerospace industries. For defence companies in particular, not being able to secure their own systems reflects badly on their products.
Small and medium-sized businesses can't escape GRC either. While there's no legislation that targets SMEs specifically, more of them are being scrutinised by the banks, which are in turn being put under pressure by credit card issuers to ensure corporate customers are PCI DSS compliant. Neither does their size make them immune to the Data Protection Act and data loss issues, because although the under-resourced Information Commissioner's Office has mostly been targeting larger organisations, SMEs face mounting pressure from customers and suppliers to show compliance.
"It's not just your infrastructure you have to worry about but that of anyone you do business with," says Frank Kenney, vice president of global strategy at Ipswitch File Transfer.
However, GRC is also being seen in a positive light - as a way of marketing companies' trustworthiness. Matthew Tomlinson, director at SecureData, reports that budgets are being allocated to GRC projects for this reason. "It's being seen as a business enabler. Internet-facing businesses are advertising their PCI DSS compliance or their adoption of ISO 27001 and so on to show consumers and partners that they can be trusted with data."
Page 1 | Page 2 | Page 3 | All 3 Pages