Companies are under increasing compliance pressure on a number of regulatory fronts, but the biggest stumbling block to meeting requirements is an internal divide, according to David Mann — executives and IT professionals don’t always communicate well.
Mann is a security strategist with Bindview
Corp. He teaches that IT people have to learn to speak the language of the businesses they serve. A truism to the point of cliché, sure, but to Mann it means more than learning to talk the executive talk.
He cites, as an example, a conversation between a friend and her three-year-old son, playing out of sight in the basement:
Mom: Whacha doin’?
Mom: Whacha doin’ it with?
Child: A hammer.
“”I don’t want to draw the comparison between executives and three-year-olds with hammers,”” Mann says, in a tone that suggests maybe he does. His point is that IT professionals have to ask the right questions to get usable answers.
Mann breaks down the compliance pyramid into business processes — the area where executives focus — application controls, and general controls (the infosecurity and infrastructure level where IT has the most influence.) There’s part of the communication gap, Mann says. Techies want to talk servers and bandwidth. That’s noise to executives.
While companies are besieged by regulatory requirements — U.S. firms have to contend with Sarbanes-Oxley, Canadian and EU privacy laws, the Basel Accords, the Patriot Acts and more; Canadian firms are affected as the countries largest trading partner, and by regulatory intiatives at home — the requirements are largely the same, Mann says.
A security strtategy is a hierarchal beast. At the top is the charter, the broad business statement that the company will comply. At the bottom are standards, specifying what gets done and by whom. In between, where business statement begets technical configuration, is the security policy.
“”The most important aspect of your compliance strategy is your security policy. Every auditor I’ve spoken to says the first thing they look at is your policy.”” A good place to start is ISO standard 17799 — based on British standard BS 7799 —which covers the bases well, except for particular vertical requirements.
A best practices approach makes executive comfort levels go up — IT pros don’t have to explain details about encryption and authentication, and executives don’t have to hear them. There’s no need to reinvent the wheel, Mann said — auditors already know what they’re looking for.
And it’s important to position compliance policy as a continuous process, not a one-off project. The process begins with the creation and publishing of rules, their application and verification, then the cycle begins again. “”The key thing is you’ve got to close the loop,”” Mann says.
Risk and gap analyses are fine, but can be expensive, and provide diminishing returns. The more pragmatic alternative is to hijack an existing effort to target for compliance as it comes out of the blocks. Develop the policy to suit the hijacked project only. A crude gap analysis can be used for Round 2.
At the end of the day, it’s the executive, not the techie, who’s charged with creating a culture of compliance. Mann tells security professionals they should document everything — CYA — and sleep well when the job’s done and the ball’s in the executive court. Techies can’t force executives to comply, he says — that’s up to the regulators.