Compliance is a painful, expensive, urgent, common and a growing problem.
In addition to the above, compliance projects create a material distraction from essential business-as-usual activities.
Finally, signing off on a compliance project is a commitment to remain continuously compliant.
Is that really feasible over time?
Let's explore the pain in more detail...
Compliance: It's Just Adherence to Security Best Practice
As much as security professionals tend to look down at compliance as the poor cousin of cyber security, the reality is that when you delve into the detail of compliance, it's simply adherence to a set of controls within a standard that are defined by security best practice.
The issue is that, once a compliance project has begun one of the first milestones is the dreaded audit and the almost guaranteed hefty remediation report that follows on from it.
And that's just where the fun begins...
The Operational Overhead of Manual Remediation
We've all been there; a painfully long, boring and detailed meeting, going through every single one of the controls that have either been passed or failed, working out what effort is involved in actioning the remediation, establishing what impact is may have on other areas of application functionality and performance, assigning remediation tasks to valuable engineers that take them away from essential BAU work and then booking in a time to review progress.
Rinse and repeat until either all controls have been remediated or compensating controls have been arduously negotiated with auditors that have varying degrees of understanding, care or appreciation for the impact of certain changes.
Compliance Drift: The Reality of Compliance Over Time
So eventually, after many, many meetings, emails and phone calls, the end of the project is in sight, resulting in a final push to get the last controls passed, eliciting that most anticipated of milestones from the auditor: Sign-off.
Internal resources gladly sign off on a range of documents, potentially not realising that there, in the fine print, is a tacit or even very clearly defined commitment to maintain this hard won level of compliance that has been attained.
The reality is that change happens over time and change brings with it the reality of deviations with best practice, deviations with the controls within the standards that formed the basis of the project and, almost inevitably, a drift away from compliance.
The Dreaded Anniversary
A respected QSA recently revealed that approximately 60% of fail their first PCI-DSS compliance anniversary.
More than half have drifted away from the compliance they had worked so hard to achieve less than a year earlier.
The costs associated with operational impact can be colossal.
Continuous Compliance Through Automation: From Pain to USP
There are two ways to achieve continuous compliance that is required to achieve the continuous compliance that is required to mitigate these issues:
1. Staff Dedicated to Monitoring, Triaging and Remediating Compliance Issues
It is possible to simply dedicate staff to this role, but the expense is either largely unaffordable for the majority of companies or financially irresponsible use of valuable funds that could be deployed elsewhere in the company for far greater effect and gain.
In addition, security engineers have varying degrees of skills, focus and availability, resulting in manual response is inconsistent in terms of adherence to best practice, timeliness of response and quality of remediation.
2. Deploying an Automated Security and Continuous Compliance Platform and Playbook Library
The inescapable reality is that Continuous Compliance can only be consistently achieved with automation.
The good news is that there are multiple benefits that result from deploying automated security and compliance, not least of which is the ability to turn compliance from a cost centre into a badge of honour that allows companies to engage with and win more customers and in turn grow revenue from what was once an operational overhead.
Explore the possibilities today.
Start your 30-day trial and transform your security posture in the cloud today.
Comments