SAN FRANCISCO -- Today, greater than ever, organizations are stuck in an ongoing compliance cycle, and compliance fatigue is setting in, consistent with experts who spoke frankly concerning the problem at RSA Conference 2012.
Reducing scopeÂ
hasn't really solved the problem.Michael Dahn
Pricewaterhouse Coopers
The conference session, Compliance Fatigue: Find out how to Stop Chasing Compliance and Move directly to Business, addressed how you can avoid the issue of being overburdened by the mountains of documents and not-ending tasks linked to compliance. Compliance experts from Pricewaterhouse Coopers offered up tips for IT pros and compliance managers to reinvigorate compliance efforts within their organizations.
Compliance fatigue has increased over the last five years, said Michael Dahn, director of threat vulnerability and management at San Francisco-based Pricewaterhouse Coopers Advisory LLC, “This is because of the proliferation of information security regulations within the U.S. that has built up because the beginning of this decade,†Dahn said in an interview after the session.
Dahn suggested that folks in control of their company compliance programs measure their effectiveness using the safety Maturity Model. The model, developed by Dahn, rates an organization's maturity level (including having documented policies and procedures, having executive leadership on the governance team, and with the ability to perform consistent, repeatable events) and an organization's security level (according to its tactical security implementation.)
Organizations that fall into the lower left quadrant of the model, with low security and coffee maturity, are most liable to compliance fatigue, Dahn said. (Dahn noted compliance fatigue should not be confused with a dislike for, or dissatisfaction with, compliance.) From his personal observations, Dahn estimates about 25% of all U.S.-based organizations fall into the lower left quadrant, while 15% fall into the higher right quadrant, although he noted the odds may vary by industry.
Security Maturity Matrix by Michael Dahn
Organizations with immature compliance efforts are inclined to ride the “hamster wheel of compliance†per annum, Dahn said. Per annum, the auditor comes around and employees spring to action, and then compliance tasks slide until the subsequent year, when the method is repeated yet again, he said.
So, how can organizations get off the hamster wheel and move to the higher right quadrant inside the security maturity model? Dahn recommended organizations make a concerted effort to spread their compliance activities evenly all year long. “Reducing scope hasn't really solved the problem,†Dahn said. “It's more of a business decision to tie implementation of compliance with the organization's business objectives.â€
Address risk and compliance may be the outcome.
Pieter Penning
Pricewaterhouse Coopers
Organizations must also break down compliance silos, Dahn said. “Too often, you will see companies with a HIPAA compliance person and a PCI compliance person, etc.,†he said. “Companies have to have a compliance manager handling compliance with a top-down approach.â€
Dahn said he sees some companies executing a patchwork of compliance efforts. “This results in redundancy, inefficiency, wasted resources, and ultimately compliance fatigue,†he said. “Instead, attempt to take a look at the gigantic picture. Remove redundancies and find efficiencies.â€Â He encouraged companies to take time to document policies and procedures, so compliance tasks are more easily repeatable in years yet to come.
Pieter Penning, senior director at Pricewaterhouse Coopers, also shared his compliance insights with the RSA session attendees. His motto: “Address risk and compliance would be the outcome.â€
Penning advised attendees to prevent specializing in specific compliance tasks and instead aim for the best security posture they may attain. “The goal is to have a sustainable program,†Penning said. “Work to reduce risk, to not achieve compliance.â€
Nessun commento:
Posta un commento
Comments links could be nofollow free