Compliance costs, and every organisation knows it. A 2005 survey by Computer Associates' identity management software division, Netegrity, found that over 20% of US companies required to meet the stipulations of the Sarbanes-Oxley Act (SOX) alone were spending over $1 million to comply. In order to justify this expenditure, companies must prove that compliance has side-benefits for the business – besides keeping the chief executive out of jail.
For many years, security was thought of in a similar way. Preventing unauthorised access to the network was begrudgingly seen as a necessary investment – but not one which would add value, generate a return or bring competitive advantage.
That view has gradually changed as companies have learnt to invest in security technologies that bring efficiencies in other areas, often within the IT department itself. Identity management is a prime example, making provisioning of new user accounts easier and saving substantial sums in help desk calls for password resets.
It is also an area of particular relevance to SOX section 404, which describes the controls that companies must install to ensure that financial reports are accurate and not inappropriately disclosed. Identity management provides an audit trail of who has accessed which information and when.
While no legislation explicitly demands additional IT security measures, there is plenty of overlap. It has helped highlight an oft-neglected security risk: the threat from within the enterprise. Sensitive information – such as financial results during a company's ‘quiet period' before numbers are publicly announced – could be disclosed by insiders via outbound email. Messaging security vendor Proofpoint estimates that some 70% of confidential corporate information is communicated through email.
As such, email scanning is one critical component of the fusion between compliance and security. Emails can be opened up at the gateway, and the system trained to look for information that should not be let outside the company and then either let out, returned to the sender or an administrator, or destroyed.
But if the latter occurs without anyone knowing, the risk remains undiminished – and so no business value has been extracted from the investment. Here again, compliance and return on a security investment need not be mutually exclusive. Just as regulations demanding timely publication of financial results have given business intelligence software a fillip, the reporting of security events is an increasing priority for compliance-conscious companies.
The credibility cost
SOX section 409 demands that any events that could materially impact the bottom line should be reported to shareholders. This is not just an issue for CFOs: A survey of 100 NASDAQ-listed companies by the University of Texas' Information Security Centre found that a breach in their security cost 3% to 4% of their market capitalisation within 48 hours. Furthermore, on average it took between six and eight weeks to regain the market capitalisation.
Such laws will only increase in volume. What that means, says Ray Stanton, global head of security services at BT, is that businesses need to have a framework that is flexible and adaptable – "something that will enable them to meet 80% to 90% of any new laws in any country". Regional variations are a particular headache for compliance officers.
French law prevents employers from opening and reading their employees' emails. The Californian Senate Bill 1386 demands that anyone doing business in that state inform their customers if a security breach has exposed personal information. Data protection law in Italy stipulates that all passwords securing personal data must be at least eight characters in length.
Rather than reacting to each law individually, an internationally applicable security policy based on best-practice security guidelines makes for a more coherent approach. Analysts recommend adopting standards such as ISO17799, COBIT and ITIL as the best way companies can indemnify themselves against future legislation.
But without security reporting or central management tools, there is no way of ensuring users are paying heed to the policy. Reporting dashboards can help security officers measure the value of their security mechanisms and central management consoles can ensure these tools are properly controlled in line with policy.
While compliance can force companies to adopt security stances which they ought to have in place anyway, it can also pull the other way. Buyers should be wary that they avoid many vendors' marketing hype around new regulations. Compliance – in security as elsewhere – is taking up an increasing portion of the budget – often without being given proper evaluation.
"A compliance-led approach competes with a risk-based approach," says Jason Creasey, head of projects at user group the Information Security Forum. He warns that it might not focus security investment in the right places: "If a company lists the general ledger in its top ten most important assets, they're just plain wrong."
The key to extracting value from compliance is perhaps not to address it directly, but to concentrate on the broader security goals of adopting best practice frameworks and effective risk management. Then it is compliance which is the happy side-benefit, not the business gains.