IT pros charged with keeping their companies in compliance face challenges that weren't even on our radar a few years ago. That's because fundamental changes in the way companies consume IT services--led by public cloud computing and expanded outsourcing relationship --mean we're on the hook for the security and compliance of more external entities in the information supply chain. And that brings a whole new set of problems.
To find out how we're coping, we surveyed 422 business technology professionals, all of whom qualified for our InformationWeek 2012 Regulatory Compliance Survey by being on the hook for at least one regulation. We asked about the scope and nature of their compliance strategies, with a focus on how the new reality impacts oversight and governance of vendors, partners, customers, outsourcers, and service providers.
The good news is that the regulatory burden isn't growing. Thirty-five percent of companies must comply with four or more mandates--which is a lot, but the median number of regulations IT must address in 2012 is down slightly from our June 2009 survey. IT teams tend to feel less resource-constrained, with almost eight in 10 fairly comfortable with their resources for compliance. More companies have successfully aligned their security and compliance programs, to the benefit of both.
The bad news is that we can't get too comfortable. The dynamics of compliance are changing as we grant third parties more access to sensitive and critical data, and the damage if there is a major security breach at one of your key external partners. Fortunately, there are steps you can take to find and address potential problems.
Requirements, Barriers, And Drivers
We found that policies supporting compliance are well adopted among respondents--think acceptable use and password guidelines and pre-employment screening.
But it's easy to write a policy. The bigger question is whether we're doing the challenging work of actually implementing supporting controls.
And, in fact, the data shows that respondents are. We listed 13 security technologies and asked: If you could choose to fund only three security controls, which would you select? The majority favor controls that are mandated by widely adopted regulatory requirements--at the expense of technologies, like data loss prevention and mobile device management, that are probably on the radar for the larger security team.
For example, endpoint protection (a regulatory requirement under PCI, HIPAA, and multiple other mandates) scored highest, followed by application firewalling (a PCI requirement), identity management (supports numerous access-control requirements across a broad swath of regulations), and patch management (supports system maintenance requirements).
In terms of drivers for compliance, fear looms large--predominantly of legal or regulatory action (58%) and negative publicity (41%). This is understandable. From a publicity standpoint, no one wants to make headlines for losing data, and the recent successful attack at LinkedIn has already resulted in a $5 million class-action lawsuit. Meanwhile, regulators are stepping up enforcement action. For example, in June, the Alaska Department of Health and Social Services settled a case for $1.7 million related to its failure to protect electronic health information.
But the most interesting data point, to us, relates to resource availability. In this year's survey, 78% of respondents say they either have sufficient personnel, money, and other resources to address their compliance needs, or are in "generally good shape" on resources. Getting breathing room to address known problem areas, many of which have no doubt persisted longer than they should due to the steady treadmill of projects, is no small feat.
To read the rest of the article,
Download the July 23, 2012, issue of InformationWeek