Simplify compliance by pursuing it continually, and at a deep level
For business and IT managers today, regulatory compliance is often perceived as a necessary evil—a duty required by circumstances, but certainly not something convenient or helpful in the pursuit of business goals.
Consider what's at stake: solutions to improve or track compliance must be purchased, business processes must be modified or created from scratch, evaluative reports must be generated, and of course, in the event of an audit, compliance must be demonstrated in short order. It's a lot of extra time, energy, and money required of IT at a time when all of those resources are in short supply.
Fortunately, organizations can usually benefit from an approach that incorporates compliance throughout business processes, instead of superimposing it after the fact. By "baking in" the way they pursue compliance, in other words, organizations can significantly reduce the resources required, simplify what they have to do to achieve it, adapt better to shifting requirements, and not just survive an audit, but actually pass one with flying colors.
Of course, moving from that abstract idea to a specific implementation will often involve thinking through many relevant complexities. One such, for instance, is the sheer rate of change. It's been observed many times that IT security is a rapidly evolving field; compliance strategies should evolve in parallel with security developments and solutions.
This, all too often, isn't the case. Usually, organizations implement ad hoc compliance approaches. And these, while sufficient for the short term, won't deliver the best results in the long term.
To understand how compliance architectures and processes should change, consider how security architectures already have changed. In the last millennium, security was often a secondary consideration, pursued via point solutions like firewalls or anti-malware software—a patchwork approach. But today, organizations are gradually shifting toward a more integrated, end-to-end security architecture that can act proactively and efficiently to address both known threats and those that have yet to manifest.
So, too, compliance architectures should be rethought and reimplemented with a view toward continuous, end-to-end capabilities that span the IT infrastructure and business domains and processes in a holistic fashion.
The question then becomes: What's the most efficient way to make that happen? For most organizations, it will be essential to have a trusted partner with proven expertise and a deep portfolio of industry-leading solutions—a partner that can apply both the expertise and solutions in a customized way, tailored to any given context.
IBM Security Solutions can be that partner. IBM security and compliance insights are informed by a long history of successful customer engagements and best practices, and are backed up by best-in-class solutions and services. They treat compliance not as a side issue, but as a central one—a continuous implementation that works via a closed loop.
In each stage of the loop, acquired information is fed into the next as a guide to change and improvement. And each loop, as a whole, similarly feeds its data into the next iteration.
Thus, the total compliance strategy (and architecture) actually gets better over time in all the ways that matter most—more easily updated, more efficient (even automated), and more effective at keeping the organization in continual compliance with all applicable regulations.
What had been a necessary evil that only delivered patchwork results can instead, over time, become almost an afterthought—something that runs so smoothly, and at such a deep level, that it allows an organization to stay focused on business objectives.
Link information across all four stages of the compliance cycle
“In the last millennium, security was often a secondary consideration, pursued via point solutions like firewalls or anti-malware software—a patchwork approach. But today, organizations are gradually shifting toward a more integrated, end-to-end security architecture that can act proactively and efficiently to address both known threats and those that have yet to manifest.”
To see how this works, consider the four common stages of the compliance cycle: assess, remediate, enforce, and report.
This stage is largely about understanding how the security and compliance architecture is delivering on goals (or not delivering on them as the case may be). Via assessment, security shortfalls can be detected and quantified; these may well have a negative impact on the organization's compliance posture. Because government regulations specify how sensitive customer data should be managed and monitored, security flaws (or actual breaches) have a direct bearing on whether the organization is living up to those regulations.
At many organizations, assessment is only a periodic event, run on a regular schedule. This means that there are, in a practical sense, large windows of vulnerability in which a problem could exist and yet the organization might not yet have become aware of it. In such a case, assessment needs to be much more frequent.
Assessment duration, similarly, should be optimized. If an organization takes too long to finish an assessment, real-world conditions may have changed so much that the insights or discoveries may have no relevance. The phrase "there's no use closing the barn door after the horse has been stolen" applies here.
How efficiently are vulnerabilities discovered and reported? Without a fully integrated architecture that shares information seamlessly across stages of the compliance cycle, organizations may wind up with compromised overall performance.
For these reasons and others, best results will typically stem from an approach to compliance in which assessment is a continuous event, and in which discovered flaws or breaches are reported and solutions are implemented in the next stage as quickly and comprehensively as possible.
Remediate and enforce
Just as assessment is needed to detect security or compliance problems, remediation and enforcement are needed to fix them. And here, too, different solutions and strategies will yield different levels of real-world value.
One common issue in this context is prioritization. If multiple shortfalls or breaches are discovered, which are more important—and which are less? Which require an immediate response, and which can safely be postponed until a more convenient time? How is the compliance posture affected, and what kinds of issues might emerge in an audit if remediation is delayed or inadequate? It’s important to remediate issues in a prioritized way that reflects their business risk.
Performance, too, is obviously important. Time is of the essence—a faster remediation is obviously of more value, from both security and compliance standpoints, than a slower remediation. And toward accelerating matters, it's very helpful if the overall security/compliance architecture can establish baselines, to link assessment with remediation more efficiently and accurately. Automation can play a key role in improving performance and thus limiting the business impact of breaches/compliance failures.
If discoveries involve more than just a spot response—if they imply changing ongoing policies to enforce security/compliance more effectively—this change demands a fast and comprehensive implementation. That's a lot easier given an integrated portfolio, rather than a disjointed set of tools.
This is the final stage of the cycle. Organizations will have to show, in as much detail as required, that they are aware of applicable regulations, have implemented the necessary oversight and governance over data and processes, and that compliance has thus been achieved.
Beyond the context of an audit, organizations can also use these reports as an ongoing means of gathering actionable intelligence on where, how, and to what extent they need to improve. Results can then be evaluated during the other phases of the compliance cycle.
In this way, a positive outcome is achieved much faster and more efficiently than would be possible without continuous compliance.
While some organizations focus on specific categories of IT security, IBM sees security at a deeper level—across five different dimensions. These are:
As you can see, this provides a comprehensive outlook on organizational security. And because IBM adopts such a holistic perspective, taking into account the total infrastructure from endpoints to data to the people involved (and their different privileges), IBM Security Solutions’ solutions deliver a more integrated, and proactive response to security and compliance complexities of all kinds. This is an organic, embedded approach that delivers far more value than competing alternatives.
While some degree of risk is always present in business operations and IT infrastructures of all kinds, the goal should be to minimize that risk in a way that hits operational targets and business goals without compromise. IBM Security Solutions’ solutions and services, including expert consultation, can help organizations accomplish that at every stage in a security and compliance initiative, from initial evaluations to subsequent strategy and implementation to ongoing management over time.
Because IBM is committed to a cross-IT, cross-domain, proactive approach that shares information to drive positive change, IBM clients can proceed in confidence that their security/compliance strategies will grow and adapt in parallel with their needs—not lock them into inflexible paradigms or implementations.
And particularly for global organizations whose operations span many national boundaries, the case for IBM as a security/compliance partner is very strong. With each new country of operations comes a new set of regulations requiring compliance—in effect, multiplying the total compliance challenge to a point that requires the highest possible level of expertise, insight, and experience. Fortunately, that's exactly what IBM offers.
Speak at Pulse
Submit a session proposal now through November 7! Share your experience and join an elite group of professionals: speak at Pulse 2012! Client presentations will demonstrate how organizations have used IBM products to gain an end-to-end view of business services across boundaries to effectively manage risk and compliance, improve the economics of service delivery, and achieve measured business objectives. Contribute your company’s story to the body of knowledge shared at Pulse 2012.