Get the best out of compliance

There is a yawning chasm between the growing threats faced by many organisations and what information security is doing to combat them. But with many security professionals having to deal with these increasing threats with fewer resources as more money is spent on conforming with a glut of rules and regulations, they feel bogged down by compliance and regard it as nothing more than a "box-tickers' charter".

Ernst and Young's Global Information Security Survey, published last year, found nearly two-thirds of security professionals considered compliance to be the main part of their job and the primary driver for better information security. But many in the community say that compliance is not worth the effort or money when there are more pressing security needs.

Jan Babiak, managing partner of Ernst & Young's UK Information Security practice, and one of the authors of the report, disagrees. She says compliance is far from being a waste of time and can actually help an organisation fight threats more effectively, by showing up any weaknesses in its infrastructure.

The survey of more than 1,300 organisations in 55 countries found that 61 per cent of companies cited compliance with regulations as the top driver of their organisation's infosec practices, against 53 per cent citing worms and viruses.

"What's happened with the regulations, and particularly Sarbanes-Oxley and the European Eighth Directive, is that they haven't really hit home in terms of what it is going to mean for us yet," says Babiak. Some 88 per cent of organisations say they are creating or updating policies and procedures on the back of such directives.

But Babiak says that SOX means that controls have to be in place that not only have to be documented and tested, but also signed off by an external auditor. This not only affects US companies, but big international firms that are also US registered and represents a big change in how companies conduct themselves. But less than a third of respondents have monthly meetings with internal audit, compliance and business unit leaders.

"There was quite a lot of effort in the past few years where people just spent a lot of time documenting things. In the security community, people were asking: 'Was that a good use of our time documenting things the legislation requires?'." Indeed, 81 per cent of respondents said infosec was most important in complying with corporate policies and procedures.

"But we also know that whatever isn't measured often doesn't happen, and one of the things that came out of this... is that when people began documenting, they began to notice gaps," she says.

So compliance and the documentation it involves could be the start of sorting out the causes of weak security, and not just patching up the symptoms. Done properly and in the right spirit, it could also make the business run more efficiently.

With many companies, Babiak found that those conducting the documentation unearthed surprising results: "As they began to test whether they were compliant, they found that some divisions were not." Some controls were burdensome and people chose to ignore them. And controls thought to be in place were proven to not actually exist. So the process of documentation which at first seemed a waste of time actually began to expose chinks in the armour – a good way to find problems, she admits, but "a rather expensive way to get there".

"In reality, well-controlled companies didn't find it so burdensome. Those complaining about the cost were not very strong in having controls before."

The survey found that organisations of all sizes face many of the same challenges when implementing regulations, but that while 34 per cent of large companies had formally adopted and/or become ISO 17799 certified, only 18 per cent of smaller organisations had done so.

Too many organisations fail to consider risks such as immature controls, intellectual property infringement and quality concerns. Instead, nearly half of survey respondents identified areas such as mobile computing, removable media and wireless networking as top new technologies with significant security concerns.

And don't assume that a business with strong security controls is a better-run business. Babiak says this must be taken in the context of the business itself. "Some can be very well run and not have great security because their risks are not so great. Others, such as the US Department of Defense, would not be well run if they didn't have good security."

So did out-of-control companies spend the most getting compliant? Again, she disagrees with this, but points out a number of studies that show that firms with strong governance, either IT or wider, do tend to be more profitable.

While the survey suggests a widening gap between what the threats are and where the resources can be deployed, just how do businesses square the circle and make sure they can both see off attacks and make sure they don't fall foul of the wave of laws and regulations. Babiak says that security professionals need to make judgements that are more of an art than a science. "The traditional arts have elements of science in them – if you pick the wrong platform, the wrong canvas and put the wrong medium on it, it won't stick. It will deteriorate over time. Similarly, there is some science to security, but how much you apply, where you apply it, how you manage it back to where your risk is, is much more of an art."

One example is financial institutions weighing up the pros and cons of two-factor authentication for internet banking. "There is no doubt that two-factor authentication would be scientifically a better solution than the more common password/user ID approach," says Babiak.

But the fear is that customers might not put up with the more intrusive system and move their accounts. "So there is a judgement, an art, to deciding the balance of protection of stakeholders, shareholders and company assets versus the loss of customers, which of course is also not in the interest of the shareholders," she says.

But is security an art because it is more to do with how people react and not so much how systems react? Babiak believes that the greatest challenges are faced by security professionals who don't do their homework and deal with everything there and then, instead of planning and thinking through what the causes of security weaknesses are rather than the symptoms.

"I know organisations that do a pretty comprehensive review which identifies quite a lot of symptoms. But this review allows them to also see what the causes are. Then what people will do is focus on fixing the system, the symptoms instead of the causes," she says.

She says that companies will look at a sample of applications and breakthough in, for example, ten applications out of 30. But the problem is the systems for deciding what controls to put in place.

"People will get all caught up in 'show me those ten and I'll fix them', and can go to their boss and say they have fixed those ten. They are completely missing the point, because the point is that you haven't dealt with the cause, which is you don't have the proper controls in place."

For Babiak this comes back to the very point of compliance and why companies can use it to address the gap between risks and actions.

"This is what a lot of this regulation is actually dealing with. It is not dealing with a long list of little things you need to fix. What is asks is: 'Do you have the fundamental controls; good change controls and good access controls?'. It works you through systems of control and makes us look at the processes we have in place to make sure that you are preventing it and detecting weaknesses."

So with the right application of effort, the money spent on compliance could save money fighting threats in the future. Closing the gap, suggests the report, can be done by applying sound information security practices, which is part and parcel of compliance.