Achieving compliance with more stringent, dynamic, and overlapping governmental and industry regulations requires that your enterprise:
- Protect business-critical corporate information; most notably, personally identifiable information (PII).
- Maintain control over and ensure visibility into corporate information assets, from servers to widely distributed and mobile endpoints.
- Communicate your security policies and procedures with employees and partners.
It falls substantially to an increasingly strapped IT department to ensure the enterprise can meet its regulatory compliance goals, as well as detect and stop threats to enterprise information.
By focusing on driving risk out of the equation and taking a more proactive and, where appropriate, automated approach to security, IT can fulfill both missions more efficiently: achieve compliance, better protect corporate information, and help meet the financial goals of the enterprise.
Compliance controls don't make a security posture
Given that compliance and security share similar mandates, you’d expect considerable overlap in enterprise compliance and security initiatives. In actual practice, organizations continue to focus on, and budget for, meeting specific compliance controls, whereas it may be more challenging to obtain funding for new security initiatives. Frequently, initiatives to meet and pass compliance audits are crafted and maintained by teams separate from enterprise security.
Say you’ve addressed the requirements for a specific compliance regulation by deploying some basic security technology. To help satisfy PCI DSS requirements, you’ve installed encryption software and simple access controls. You may pass a PCI DSS audit, but you have not achieved an effective enterprise security posture.
Today’s advanced attacks are designed to work around these defenses—knowledge that those designing compliance strategies may not possess and may not be held accountable for in the long run. The two realms need to coordinate.
Does the company’s security posture monitor where and when encryption software is actually running? And what steps have been taken to prevent access and authorization controls from being hijacked, a common technique of the advanced attack? Valuable data and business systems remain vulnerable and, if compromised, may result in significant damages (lost business, notification requirements, penalties and fines, damage to brand, etc.).
Reactive security is no match for advanced attacks
Those responsible for designing security strategies may feel they are adequately protecting the data and systems to meet compliance regulations by using tools such as AV software and HIPS.