SAN DIEGO — Companies are under increasing compliance pressure on a number of regulatory fronts, but the biggest stumbling block to meeting requirements is an internal divide, according to David Mann — executives and IT professionals don’t speak the same language.
Mann, security strategist
with Bindview Corp., told an audience of infosecurity professionals at Microsoft’s TechEd conference this week that IT people have to learn to speak the language of the businesses they serve. He cited, as an example, a conversation between a friend and her three-year-old son, playing out of sight in the basement:
Mom: Whacha doin’?
Mom: Whacha doin’ it with?
Child: A hammer.
“”I don’t want to draw the comparison between executives and three-year-olds with hammers,”” Mann said. The point is that IT professionals have to ask the right questions to get usable answers.
Mann breaks down the compliance pyramid into business processes — the area where executives focus on application controls, and general controls — the infosecurity and infrastructure level where IT has the most influence. “”Here’s part of the communication gap,”” he said. “”You’re interested in servers and bandwidth. That’s noise to them.””
There is good news for IT pros, though. While companies are besieged by regulatory requirements — U.S. firms have to contend with Sarbanes-Oxley, Canadian and EU privacy laws, the Basel Accords, the Patriot Acts and more– the requirements are largely the same, Mann said.
“”The most important aspect of your compliance strategy is your security policy,”” Mann said. “”Every auditor I’ve spoken to says the first thing they look at is your policy.”” A good place to start is ISO standard 17799 — based on British standard BS 7799 — which covers the bases well, except for particular vertical requirements.
Incorporating best practices makes executive comfort levels go up — IT pros don’t have to explain details about encryption and authentication. There’s no need to reinvent the wheel, Mann said — auditors already know what they’re looking for.
And it’s important to position compliance policy as a continuous process, not a one-off project. The process begins with the creation and publishing of rules, their application and verification, then the cycle begins again. “”The key thing is you’ve got to close the loop,”” Mann said.
Mann recommends that IT pros working on a compliance framework “”leverage existing intiatives”” — in other words, hijack a project to demonstrate how it can be applied. Risk and gap analyses are fine, but can be expensive, and provide diminishing returns. The more pragmatic alternative is to target an existing effort for compliance as it comes out of the blocks. “”Make it compliant. Demonstrate success,”” and use the momentum to get buy-in from the suits, he said. Wrie the policy to suit the hijacked project only. A crude gap analysis can be used for Round 2.
This works well in a context where the policy is modular and hierarchical — two important characteristics of a compliance strategy. The four levels of a policy are the charter, the broad business statement that a company will comply; the policy, which explicitly states the compliance goals; standards, which specify how it gets done, and by whom; and technical standards — specific configurations, “”where the rubber meets the road,”” Mann said.
Further advice from Mann: document everything — CYA — and sleep well when you’ve done your job. “”You can’t force executives to comply. That’s the SEC’s job,”” he said.