Compliance vs. Security: Which Should Lead Corporate Governance?
Aug 31, 2010 5:00 AM PT
As companies battered by the recession have begun emerging from their cautionary stances, many are re-evaluating their IT security budgets and looking to solve the age-old question: "What should drive our strategy, security or compliance?" Now is the perfect time for companies to consider the right approach to an important component of their IT security strategy -- identity management -- with the goal of meeting both security and compliance objectives, while streamlining and automating processes to save time, money and resources.
Across industries worldwide, government regulations have evolved rapidly to address transparency, privacy and consumer data protection. Based on this expanding level of oversight, it is apparent that most regulatory bodies believe the typical large enterprise, left to its own devices, will not invest adequately to protect privacy, prevent fraud or effectively manage risk. This was certainly the case with many well-known regulatory efforts, including Sarbanes-Oxley, HIPAA, PCI, NERC CIP and Basel II. The foundational belief was that government, or in some cases industry, must mandate action in order to motivate the right behavior from companies.
Following Letter, Not Spirit
Ideally in this regulated world, the "compliant" companies could rest assured that they were secure. Yet in recent years, the news has been littered with "compliant" companies admitting to security breaches. Why? I believe many companies lost sight of the original intent of regulatory mandates (risk management, security, data protection) because they were so focused on following the letter of the law to pass their internal and external audits. As a result, it's common to see companies investing significant resources to achieve literal compliance, while they fail to proactively manage security exposures. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing and mitigating risks.
The reality is that compliance requirements are not going away. On the contrary, industry observers agree that as fallout from Wall Street's collapse, even more regulation is on the way. The Model Audit Rule, which effectively requires SOX-like compliance for non-public insurance companies, took effect on Jan. 1. Part of U.S. President Obama's stimulus package included the HITECH Act in healthcare, which effectively adds more "teeth" to HIPAA by requiring companies to disclose any privacy breaches. And in Europe, Solvency II, which provides more stringent risk management standards for insurers, is scheduled to take effect in 2012.
While no one in IT can argue against the need to address compliance requirements, it's important for companies to effectively manage IT risk as they address both compliance and security strategies. Companies are facing a heightened sense of risk from layoffs, hastily completed mergers, and stagnant wages that increased the number of employees and contractors who might be more inclined to steal or wreak havoc on the IT environment.
Identity Governance: Where Compliance and Security Intersect
Identity governance is an emerging technology category within identity management that addresses the business and IT dimensions of risk management by taking a governance-based approach to identity management. Identity governance enables companies to identify, measure and manage the risk associated with employee access to sensitive applications and data. It approaches identity management as a cross-departmental discipline that gives organizations the business insight to strengthen IT controls and protect corporate assets.
Implementing identity governance starts with a reliable baseline of data across a company's applications and systems at risk. Through a process of aggregating, correlating and cleansing identity data, identity governance provides a centralized foundation on which to build access certifications, role management, policy enforcement and provisioning processes (key components of both compliance and security). By creating an enterprise-wide view of their environment, companies can automate appropriate controls, assess and monitor risk and measure the effectiveness of controls in mitigating risk.
When companies implement an identity governance solution to achieve compliance objectives, they automatically reap the benefits of uniting compliance and risk management in a single solution. This risk-based approach to identity management creates a governance framework that intertwines compliance and security requirements and helps organizations to achieve sustainable, affordable compliance while mitigating identity and access risk. It provides a direct path to aligning compliance and security, allowing companies to address the letter of the law while at the same time proactively addressing enterprise risk.
Mark McClain is CEO and cofounder of SailPoint, a provider of identity management software.