Compliance and Information Security: Common Sense Confirmed

So many times I’ve heard business leaders complain that the data protection requirements within the multiple laws and regulations only hurt business; that they are not necessary and have no true impact on really protecting data…they are just bureaucratic hoops forced upon businesses to placate the politicians’ constituents by lawmakers who know nothing about the nuts and bolts of implementing information security…and that the cost of compliance is only hurts the business’ bottom line.

Have you heard these viewpoints? There have been multiple articles written by business leaders venting on this issue. They often state there is no proof that the data protection requirements within the laws have any positive impact.
Well, they do make a point about there being no documented proof. I must admit, I have not seen such verifiable proof, beyond isolated examples and hypothetical theory, that clearly shows compliance with data protection requirements verifiably reduces security incidents and data loss. Until now…
Recently I had the opportunity to speak with Jim Hurley, the Managing Director for the IT Policy Compliance Group about a new survey and analysis report he did in partnership with Protiviti.
The resulting report, “Why Compliance Pays: Reputations and Revenues at Risk” is an interesting, insightful and informative read.
The conclusions are basically that being in compliance with data protection requirements will result in fewer incidents, and thus will result in less loss to organizations and more net revenue. This validates what common sense opinions are about data protection. This study provides the numbers to show to CxOs that implementing controls that are mandated by laws, regulations and policies really will lower the numbers of incidents and negative impacts to incidents as compared to those companies that did not have controls in place.
Is also shows that, for the most part, the data protection requirements within most (true, not all…there are a few wacky laws out there) laws and regulations really are sound and good business practices and not just a bunch of bureaucratic hoops the lawmakers are making organizations jump through.
Yes, putting data protection controls in place has always seemed to be common sense, at least to informed information assurance (IA) professionals. But experience has shown that common sense alone does not convince your CFO and other executives who control your IA budget to provide adequate funding for IA controls and initiatives.
For the first time that I’m aware of, this study shows a direct link between implementing controls and decreasing security incidents. The results and supporting numbers are something that CFOs, CEOs and CIOs will be able to understand and relate to; they will be able to better justify the decision to invest in information security using the results than they have been in the past by just going with the justification of best practice, or even regulatory compliance, for investing in information security.
I also believe this study, report and findings could be very useful for supporting the passage of new federal laws for comprehensive data protection and privacy laws. Lawmakers can now point to this as solid evidence, and not just opinion, that not only do organizations benefit from data security, but that doing so also protects consumer information. Many of the politicians running for 2008 president have made their second home here in Iowa. Hey, Hillary, Barack, John E, John McC, Rudy, Mitt, and all you others; what are you planning to do with regard to passing comprehensive federal data protection laws? Look at this report to see why you need to support such legislation. I‚Äôd be happy to meet with any of you to discuss; perhaps at the upcoming Iowa State Fair? 🙂
Another potential I see for this report is to provide some initial statistics to improve the current actuarial tables used for cyber risk insurance. To date the data used to determine premiums and loss probabilities have been shaky, at best, and largely based upon publicized events. A large majority of incidents go unreported, even with the preponderance of breach notification laws. As actuarials know, basing insurance coverage upon news reports is not sound practice, and could result in cyber risk premiums that are completely inappropriately priced.
I found the following passage from within the report very interesting:

“Control objectives are the policies and objectives that organizations establish for compliance and data protection. While the leading organizations—those with the fewest IT compliance deficiencies and the lowest rates of unreported data losses—are employing more appropriate IT controls, they also have the fewest number of control objectives compared with other firms. A clearly articulated set of objectives leads to more effective training, certifications, reporting, and measurements that are conducted by internal and external auditors.”

So, basically, this report finds that the fewer information security and privacy policies an organization has, the better security and fewer data loss incidents.
As Jim Hurley confirmed during our discussion, yes, ‚ÄúThat’s what the data shows. Fewer policies, with more controls, result in fewer data loss incidents. The policies need to be more focused and based upon risk to the organization.‚Äù
This certainly highlights the importance of knowing risks BEFORE creating information security policies. Too many organizations do not base their information security and privacy policies on risk; in fact risk is often not even considered when creating policies. Many (or most?) organizations purchase pre-canned policies (which can be good STARTING points, not the end product) and use them verbatim just to get some policies “out there” to comply with legal and business partner requirements to have policies.
I also found the following passage interesting:

“the firms with the fewest undisclosed latent data losses and least number of compliance deficiencies are reallocating funds from external contract spending towards additional funding for equipment and software specifically targeted at automating the monitoring and measurement of controls and procedures.”

This conclusion as stated seems to imply data losses can be prevented with technology alone. This leaves out the very important human element of awareness and training. Couldn’t making statements such as this in the report lead to organizations taking the already meager funds from education efforts and investing in technology, leaving the companies open to mistakes and malicious actions of authorized insiders that could not be prevented with technology alone? A large part of compliance does require, after all, training and awareness activities.
So I asked Jim Hurley about this. Jim responded, ‚ÄúNo the study results are not meant to imply awareness and training is unnecessary. An important part of security controls is self- assessment. The organizations that do well for all three performance categories covered in the report all implement self-assessment based upon having proper training. Research shows that training is very important. Awareness and training are critical for information security success. In coming months we will deliver a report that answers questions from the benchmarks we’ve been doing. A whole series of questions in this report will address the importance of awareness and training.‚Äù
Another passage caught my eye:

“The majority—82 percent—of the firms with the fewest IT compliance deficiencies also have the fewest business disruptions from IT security events annually. Moreover, actual downtime for these firms averages six hours each year.”

This supports the validity of the compliance requirements. It validates compliance requirements as being sound business directives, not just bureaucratic hoops to jump through.
The bottom line message of the study results is that data protection compliance reduces data loss.
Jim Hurley concurred, “There is a true link between the compliance efforts and the reduction of data loss. Effective controls make more resilient systems, result in more uptime, and achieve more compliance. This study provides proof of this. There are two messages this research provides. 1) The research clearly points to relationship between better controls and control objectives and less financial risk, or likelihood of the risk having negative impact. 2) The results provide good evidence for implementing controls. The data shows the frequency of events to allow for good sound financial decisions.”
The bottom line equation to take away from the study is:
IT compliance = improved controls = improved resiliency = lower data loss = lower reputational risk
This has never been shown in a study before, at least that I have seen. Please let me know if you’ve seen similar studies!

Tags: , , , , , , , , , , , , , , , , ,

Leave a Reply