A CIO once quipped, "Security isn't hard, compliance is." And in fact many companies focus their security efforts on meeting compliance requirements. But if you are audit compliant, have you in fact addressed all of your risks, or are you just kidding yourself? Is it better to focus on the risks presuming that doing so will cover you off on the compliance side? Network World Editor in Chief put the question to two practitioners, both of whom come down on the side of risk.
Navigate Uncertain Waters by Managing Risk
By Christian Anschuetz, SVP, CIO of UL
History aptly illustrates that great losses can occur even when an organization is fully compliant with the necessary laws and regulations.
When the HMS Titanic disappeared beneath the waves with over 1,500 souls aboard, the captain and crew had complied with the most important rules guiding their conduct. The Titanic had, for example, precisely the number of life boats the law required, but sadly far too few to save the lives of all the passengers on the doomed liner.
What was proven true then is still true today; namely, that simply complying with laws and regulations without considering a broader perspective of the perils present in this uncertain world can result in the sinking of even the most promising endeavor.
Certainly there must be a balance between compliance and risk. Both are necessary. But ensuring compliance should represent an organization's starting point, not the endgame. Although firms must meet the appropriate regulatory standards in order to simply conduct business, this action might not be enough to truly protect its interests and workforce.
As a firm grows and matures it quickly begins to realize that most regulations only represent the absolute minimum standard that must be adopted and stopping there exposes the firm to unnecessary potential harm. OSHA standards, for example, detail the minimum legal requirements that firms must follow to protect its workers, but there is risk to a company when an optimal level of employee safety is not addressed and integrated into the cultural fabric of an organization.
Moving from a compliance mindset to one focused on managing and mitigating risk can be difficult, but is important and necessary in this dynamic and often dangerous world. Compliance, which is the act of ensuring conformance with stated requirements (laws, regulations, contracts, strategies and policies), is second nature to most firms. It represents the "rules of the road." As good citizens, we are accustomed to following the rules. But to manage risk? Well, that involves dealing with something less obvious, less concrete and substantial; it requires a whole new way of thinking.
Risk management involves the identification, analysis, and where necessary, response plans to appropriately address situations that might adversely affect the realization of a firm's objectives and is tailored to the exact nature of the organization's business. Using this framework, a wide variety of risks are typically addressed, including technology risks, information security risks, commercial and financial risks, and even regulatory compliance risks. As such, a proper risk management practice addresses not only the complex identification of what could go wrong, but also will include the risks of non-compliance.
Both risk management and compliance are essential, and firms that merge, balance and manage the overlap between the two are most likely to avoid the biggest and most dangerous obstacles to their existence.
Complying with OSHA may very well protect a worker from the hazard of trips and falls and protect a firm from non-compliance fines and/or other sanctions, but to create a truly safety minded culture a company needs to embrace and integrate safety practices into the very core of its business.
A company may likewise be in compliance with data privacy laws; however, without explicit education and process in place to protect its key information, it can suffer massive brand damage. In this situation, an exemplary risk management practice would ensure that data privacy standards were adhered to and, based on the specific risk to the corporation of data breaches, would have created restrictions and response plans to address other potential hazards, such as members of its workforce employing social media tools in an inappropriate, or at least unexpected manner.
As mentioned, non-compliance itself is a risk. The cost of getting compliance wrong today can be staggering. Whether it is UCLA Health system paying $865,000 for alleged violations of HIPAA's privacy and security rules, or Visa's suit against Genesco for $13 million in fines for noncompliance with the payment card industry data security standards, barely a day passes where we don't read about a hefty fine levied against a firm that ran amuck of laws and regulations. Risk management should consider compliance its own risk category, much like credit or market risk.
[ALSO: The worst data breaches]
Regardless of what position a firm takes on the relative importance of risk management vs. compliance, the notion of "checkbox compliance" will never sufficiently protect a firm from the many hazards it encounters. Mere "checkbox compliance" does not come close to equaling true risk mitigation. Had the captain of the Titanic taken a risk based approach to his last voyage vs. a myopic focus on compliance, history would have recorded a far different outcome.
UL is a global independent safety science company with more than a century of expertise innovating safety solutions from the public adoption of electricity to new breakthroughs in sustainability, renewable energy and nanotechnology. Dedicated to promoting safe living and working environments, UL helps safeguard people, products and places in important ways, facilitating trade and providing peace of mind.
Focusing on risk addresses compliance holistically
By Dan Abdul, Chief Information Officer, Minnesota Department of Veteran Affairs
Chasing compliance is an endless proposition which uses valuable resources that could be better spent on an enterprise risk management initiative that clearly defines acceptable levels of risk an organization can address using an agreed upon risk management and governance process.
Done right - avoiding unnecessary risk or overcompensation of controls -- the organization can evaluate its current internal controls process and determine the appropriate risk tolerance profile by:
- Determining the risks that apply to your organization:
- Risk of failing to fully comply with regulations
- Loss of intellectual property and any sensitive information
- Impact of disasters and unplanned events
- Impact of an event which adversely affects the brand image of the organization
- Gaining stakeholder feedback on impact and likelihood of these risks
- Benchmarking existing process for managing the risks identified as concerns by stakeholders
- Identifying the costs required to address the risks
- Performing a cost/risk analysis
- Prioritizing control efforts accordingly
The latter is particularly important. The complexity and granularity of controls required by auditing standards and legislation, along with the fact that IT risk management efforts are not profit drivers, make resourcing a challenge. Prioritization is not an option but a reality for those accountable for the organization's risk management.
Regulations around privacy and data protection have most often been in response to an incident. Essentially, these regulations mandate what we should be doing based on our organization's risk tolerance. The challenge with compliance regulations is there is usually no defined set of controls that you can use to determine with absolute certainty that you are compliant. It comes down to your organization's interpretation of the law vs. the auditor from the regulating body. More importantly, if you implement every control recommended for any regulation and still have a breach, you are not protected from law suits and fines from the regulating entity.
Threats exist in regulated and unregulated industries alike and not all incidents are malicious in nature.
Focusing on risk management allows you to effectively prioritize your mitigation efforts using a prioritization process. Organizations, after all, have to balance controls with operational efficiency.
The IT department's role is to assess and communicate risk related to technology. This is part of the overall business risk. The organization must then decide what is within its defined level of acceptable risk. It is important that IT does not assume this business decision. Risk management should be driven enterprise wide.
If we look at some of the major regulations, it becomes clear that simply addressing compliance does not necessarily protect the organization:
* Sarbanes-Oxley Act (SOX) requires that all publicly held companies establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store or control records records; rather, it defines which records are to have internal controls and for how long.
* Payment Card Industry (PCI) compliance refers to a set of standards created to help protect payment card data from exposure that could lead to financial loss. PCI compliance requirements were put in place specifically to help protect merchants from a data breach, but they do not guarantee protection.
* The HIPAA Privacy Rule provides federal protections for personal health information. The Security Rule specifies a series of administrative, physical and technical safeguards for covered entities to use to address the confidentiality, integrity and availability of electronic protected health information. However, there is the issue of which of the addressable safeguards are applicable to your organization. This is frequently a source of internal debates, due to different interpretations.
But what happens if you believe you have addressed all safeguards, and you have an intentional breach from inside your organization? This is still a violation and will probably lead to major financial and brand image impact.
And a key challenge with all compliance regulations is agreeing on the definition of things like "Minimum Necessary Privilege" and the data that should be protected. It is much easier to let a risk-management process drive what data should be controlled at what level and what access users should have. This comes with an understanding of what residual risk remains, and if it is within the businesses level of acceptable risk.
The goal of regulations is protecting consumers. Organizations share the same goal, whether for compliance or ethical reasons. Of course organizations also want to continue to be a financially viable, meaning it is better to focus on enterprise risk management rather than simply compliance.
Minnesota Department of Veteran Affairs (MDVA) strives to improve the lives of Minnesota veterans, their dependents, and survivors through advocacy and securing benefits provided by federal and state laws. MDVA serves Minnesota's 381,000 veterans and their dependents through two divisions. The Health Care division provides various levels of long-term care. The Program and Services division provides state benefits and assists in securing federal benefits.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Compliance vs. Risk in Enterprise Security" was originally published by Network World.