No escape from the regulator
- Article 27 of 33
- SC Magazine, August 2011
Nobody likes having someone looking over their shoulder and telling them how it's done, but this is the reality for CISOs in a tough regulatory environment. By Rob Buckley
Page 1 | Page 2 | Page 3 | All 3 Pages
While most CISOs know about the high-profile pieces of compliance legislation, there are bound to be gaps in their knowledge.
Recommind's senior corporate counsel, Howard Sklar, claims that 20 per cent of chief information security officers have not heard of the UK Bribery Act, despite risk manager Willis recently being slapped with a £7 million fine from the Financial Services Authority.
Continuous struggle
Jonathan Preston, who works in Hitachi Data Systems' information management division, says many CISOs in multinationals are struggling to deal with all the compliance regulations that apply in different countries. Michele Zoerb, director of information security at 41st Parameter, which trades in the US and the UK, had to undertake considerable research when implementing compliance measures in the company's various offices - and ended up drawing up a grid of what was mandatory, what was voluntary, the fines involved, and what could legally be imposed, for each territory.
Awareness is just the beginning, of course. "Generally, people know what they're required to do and how to demonstrate they're doing it. Where they struggle is knowing how to do it," says Simon Marvell, a partner at Acuity Risk Management.
Reading the regulations themselves isn't always a help. "I wouldn't advise reading the first few pages of PCI DSS unless you're a major insomnia sufferer," says SecureData's Tomlinson. "It appears onerous, it's full of government speak, everything's bad and the sky is falling in."
Relying on trusted partners for help isn't always a good idea either, says Ash Patel, country manager for the UK and Ireland at Stonesoft. "All of us ultimately have the goal of selling products. You need to go to an independent organisation [for impartial advice], but again you need to be careful you don't end up with an unnecessary consultant," he explains.
Patel adds that while larger outfits are typically well-versed in compliance requirements, SMEs tend to know only "what an IT salesperson has told them".
To keep within budgets and reduce complexity - as well as prevent the pre-audit rush to update compliance - CISOs are now looking at more generic frameworks that they can adapt to their own needs. 41st Parameter's Zoerb says aiming for ISO 27001 compliance, on which PCI DSS is largely based, is effectively future-proofing the company against big adjustments for further compliance legislation.
Garry Sidaway, director of security strategy at Integralis, says: "Organisations are trying to stay agile and reuse policies, to make sure they are reusing good project governance."
It's this kind of approach that is likely to pay dividends in the long run. While it might be tempting to stick to a spreadsheet of practices, now is the time for those who have somehow escaped GRC to look at a framework for the future, not just to avoid the stick of fines and breach notifications, but to achieve better working practices and improved partner and customer relationships.
Page 1 | Page 2 | Page 3 | All 3 Pages