In many ways compliance and security hold similar positions within the IT industry: both make wide and varied demands that defy simplistic solutions; both are consistently among the top priorities for the board; both require considerable expenditure, which many companies begrudge because it is seen as ‘dead' money, adding little to competitive advantage.
Yet it is a disservice to corporate regulations to portray them as unnecessary money-guzzling burdens. Section 409 of the Sarbanes-Oxley Act (SOX) compels US companies or those trading in the US to report any events which could affect the value of the company to their shareholders. And a security incident can have a major impact. A survey by the University of Texas' Information Security Centre of companies listed on Nasdaq found a breach in their security would hit their market capitalisation by 3% to 4% within 48 hours. It predicted an average timescale of six to eight weeks for that market value to return to the pre-breach limit.
Security systems must be sensitive to a broad range of regulatory pressures – with different countries applying different standards, there can be discrepancies between what is deemed ‘best practice'. In some countries organisations are expected to account for outbound emails, potentially involving opening up employees' email; French law forbids it. Italian data protection law mandates that all passwords securing personal data must be at least eight characters long, so a multinational with Italian offices would have to take that into account.
The Californian Senate Bill 1386 stipulates that companies based or doing online business in the state must notify their customers if there is a breach in the security of personal information they hold. As Michael Colao, director of information management at Dresdner Kleinwort Wasserstein bank, says: "We're a global bank; we've got customers everywhere. Can I suffer the reputational risk, if there is a breach, of quickly calling my customers in California and nobody else? No way."
This atmosphere can prompt many businesses to apply more stringent policies than necessary, for example by keeping all emails, even spam and personal notes. But management headaches can be spared by spreading a consistent security policy across the whole organisation, based on a balance of all relevant regulations.
"You have to take into account industry and geographical standards," explains Mike Usher, group security advisor from international financial services giant Prudential Plc. "If the local law requires less than the group standards, we apply the group, and vice versa. Whatever we do we always maximise rather than minimise."
Reacting to each law individually is liable to create little more than a muddle, so companies are encouraged to find common requirements and embed as many as possible into an enterprise-wide security policy. Outbound email should be scanned and controlled so sensitive information cannot leave the company, and the network secured from hackers and malware so personal data cannot be captured and used maliciously. Policy management software may help to ensure different frameworks do not conflict and find common ground between regulations.
By easing the management burden, a policy-based approach helps companies get away from thinking of compliance as merely "ticking boxes" and towards improving their business. Having to demonstrate security in one area can lead to wide-ranging efficiencies in others. For example, section 404 of SOX demands the complete integrity of the financial information around which auditors' reports are based. Identity management can be used to prove who accessed what data and when, but it can also reduce company spending on helpdesk calls, by tackling the problem of forgotten passwords, and obviating the need for passwords to be reset.
Omar Hussain, senior vice president for marketing and product development at single sign-on vendor Imprivata explains that a large proportion of customer frustration at the helpdesk stems from forgotten passwords. "It's easier to make one point of entry ultra secure than to have many that aren't. That one method of authentication, for example biometric ID, might have been prohibitively expensive before. But now companies are saving on the helpdesk so they can afford to pay $100 a user."
Considering around 70% of a business's confidential corporate information is communicated via email, tight email scanning to complement a coherent and clear role-based policy is essential. Systems can be trained to search for certain information or phrases that should not be let out of the company and messages can be sent back to the sender or deleted.
But technology alone cannot solve the problems of security and compliance. Education is the key, says Shaun Fothergill, UK and Ireland security strategist at systems management software vendor Computer Associates, but threats should be explained in easily understood terms – such as people's salaries, profits, shares – not jargon. One of the most common problems today is that security is treated as a technical issue, says Fothergill, that results in the wider business not understanding the potential problems, and means users are frequently confused about their responsibilities. "If the security policy makes a thud when it lands on the desk, it's too big," he adds.
Most important of all, says Prudential's Usher, is the need to understand the business's priorities. Security and compliance should not get in their way.
"I'm not here to stop business being conducted," Usher says. "We have some 290 controls we measure against. Some we find we have fulfilled incompletely and we rectify them; other policies might have to be reduced if they are simply unachievable. Some are followed through without exception, but you can't let controls affect the business."