It’s a common refrain from our security clients: “our systems and processes are more about convenience than compliance”. (This is a direct quote from one them).
Well of course they are. Most of your systems (and even more of your processes) were probably developed before the current set of laws and standards came into force. The majority of effort has been trying to force fit compliance into pre-existing processes. The result – a staggering complexity of processes and partially helpful technologies bolted on to meet the needs of a variety of standards, regulations, and internal needs.
The visible impact that recent privacy regulations (i.e. those with teeth) are having is proof that ‘privacy by design’ is key to assurance, efficiency and effectiveness. And by extension, we can say the same about ‘security by design’. It’s more effort upfront to deliver a secure system, but it’s cheaper and better in the long run. It can deliver “Convenient Compliance”, which is what organisations really need. “Convenient Compliance” is better for the business and the users. It introduces less long-term friction and makes a good user experience. And by user I mean your clients, not just your employees.
Personally, I avoid using companies that have an obviously immature or data-grabbing approach to privacy, or security processes that seem to deliberately place my bank account at risk. (There are still MAJOR companies out there who phone me and then ask me to prove who I am – that is worse than naive!).
The challenge being that legacy systems and thinking aren’t the best of friends with modern compliance requirements. Note, if anybody here has done a straight lift’n’shift to the cloud, then you persisted with legacy thinking and that missed a significant opportunity. It’s the equivalent of using a horse and cart on the highway – slow, dangerous, at worst a downgrade for security and at best really scary.
Security Architecture and Controls Frameworks approaches, along with Cloud and Application security technologies, allow you to wrap your legacy environment in something that looks like a warm and comfortable security blanket. It’s not cheap or easy, but sometimes it’s necessary. Unfortunately, the attempt often seems to result in the discovery that something is broken in the app and its architecture. The Gartner security team writes about these approaches constantly, and talk with clients daily who have this problem. But the real issue is that you need to know how and when to spend the money; and if possible use that to argue for updating the apps themselves. Too many security clients don’t appear to have that power; compliance is inconvenient to the business, and so are doomed to stretch the bounds of reasonableness, implement incomplete solutions and live with excess risk.
You can’t use risk to make every decision. In theory, compliance is binary – you either are or you aren’t. In practice, however it often depends on the auditor. Interpretation both of requirements and the effectiveness of controls or written commitments to do X by the CEO are examples of ways that make it more of a grey area. But auditors change, and therefore so do opinions, and risking non-compliance can have the biggest impact on the business :- “oops, we can’t take credit cards”, “oh dear, that’s 4% of our revenue gone”, “ow, we can’t play in that market anymore”. Communicating this to the business leaders can be scary – but it’s a key responsibility for the security professional. Sometimes, it’s the only way to get the leverage you need.
Compliance can be inconvenient. The convenience of function is often more immediately important than compliance. We need convenient compliance, and that means being painfully honest. It would be a shame if the business failed because of the fear of honesty.
An inconvenient truth indeed.
Michael Kranawetter, Joerg Fritsh and others are researching these issues right now, watch out for upcoming guidance docs on risk assessment and communication, privacy design and cloud security.
Recently, Richard Bartley, Joerg Fritsch and myself have published about how to approach the technology:
Some other Gartner writing in this space:
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.