The compliance landscape has changed significantly in the last few years. Not only are IT security threats continually evolving, but so are regulations related to compliance and security protections. With the whole technology sector moving at such a fast pace, new challenges are inevitably going to emerge. We live in an age where IT security isn’t just about protecting files, but ensuring infrastructure is secure as well. Recently, Christopher Frei, Director General at the World Energy Council, described cybersecurity as one of the major issues “keeping energy leaders awake at night.” The case for maintaining compliance now goes further than protecting data from cybercriminals.
At the same time, legislatures have tried to regulate and better protect citizens. In Europe, the most recent landmark piece of regulation was the General Data Protection Regulation (GDPR). Among the most critical reforms of 2015, the GDPR still needs to be ratified by the European parliament, but the terms of the data protection rules further highlight the importance of maintaining compliance, as the regulations would introduce sizable fines for failure to properly protect information.
For most organisations, protecting customer data and information systems as part of compliance policies is a core requirement; however this work can sometimes be a heavy burden. The focus of any business must be driving revenue, and maintaining this and compliance can be a significant challenge. Actually examining how compliance can make a minimal impact on productivity will help to reduce its burden throughout an organisation.
Functionality, Automation and Visibility
Organisations can look to manage productivity by introducing security tools that are easy to use. In fast moving environments, staff will look to the quickest and easiest solution. Security tools therefore must not only meet regulatory requirements but also the ease-of-use needs of the frontline staff. This means IT and compliance teams can have more trust in their colleagues, and reduce any ‘policing’ burden.
A further benefit of making tools more functional is the role it can play to empower whole teams to play a key role in maintaining compliance. Introducing compliance training and making employees feel responsible for protecting their own silo will help spread the burden of maintaining compliance across an entire organisation, not just with IT, auditors and senior management.
At the same time, the burden can be further reduced by introducing some level of automation into processes. For example, ensuring that every file distributed arrives at the right place at the right time can be accomplished with automated, secure information exchanges that are fully compliant. This removes the opportunity for human error, and has little effect on productivity, reducing the compliance liability on members of the staff. We’ve already seen many organisations implementing automatic encryption into emails. This particular technology allows companies to share documents and data over email while keeping the files within a secure protected system. Management can sleep safe in the knowledge that every external contact is automatically encrypted.
From speaking to leading CIOs, we’ve found that a major concern for them is visibility. The moment data leaves an organisation’s IT system, its location can be very difficult to track until it reaches its final destination. People involved in compliance policy want to know whether security could have been compromised, where data is being stored, and who can access it. Particularly when IT systems are complex and disparate, tracking individual files in transit can be challenging.
Consequently, achieving full visibility can be a huge step towards reducing issues related to compliance and may improve security at the same time. From a management perspective, teams can see exactly how information exchange practices are being implemented and flag potential non-compliance problems before they happen. In addition, greater visibility can help to develop an understanding of bottlenecks and can lead to initiatives to lessen the burden further.
Legislative and practical requirements for compliance and IT security are likely to continue to pose challenges. The new GDPR calls on a proactive approach to privacy; we’d expect to see more organisations look to implement technology that focuses on this by design. Ultimately, maintaining compliance may always be a significant task, but investment in the right tools and technology can go a long way to maintaining productivity. Ensuring everything is functional, automated, and visible is where the focus should be for organisations across all verticals.
[su_box title=”About Peter Merkulov” style=”noise” box_color=”#336588″][short_info id=’73426′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.