Live Chat

IT security teams must think beyond compliance

Tuesday, March 05, 2013

Compliance can serve as a powerful motivator for protecting corporate technology environments, but it should not be the only factor IT security teams focus on. According to Computerworld contributor Jaikumar Vijayan, over-emphasis on compliance has led to gaps in data protection strategies. Meeting requirements such as Payment Card Industry standards is an essential step in safeguarding digital assets, but focusing solely on those provisions can leave room for improvement. 

"Compliance requirements are often static and prescriptive, according to security executives," Vijayan wrote. "Compliance gives organizations a way to measure the outcome of security efforts, though the measurements can be misleading and provide only a one-time snapshot."

According to Vijayan, audit-related fears have made compliance a "full-time job" for IT teams. However, Anup Ghosh, founder of security firm Invincea, suggested that many of the time-consuming tasks have less to do with IT security and more to do with proving that a business is meeting requirements. This means that a firm may be compliant even while implementing minimally effective safeguards. 

A more effective approach
Protecting organizational data requires seeing compliance in a more holistic way, while overarching IT security needs are met. It may be beneficial for businesses to adopt managed hosting services, so that internal teams are not overburdened with compliance tasks. While some companies have been reticent to shift critical tasks to a third-party provider, doing so can improve security postures. As eSecurity Planet contributor Paul Rubens recently noted, this has been showcased by the increasing sophistication of cloud-based security tools.

One of the improvements Rubens highlighted is better endpoint security. He used the example of cloud-based antivirus solutions. Because every web-enabled device in a company accesses these tools, each endpoint serves as an effective malware monitoring platform. This allows for quicker improvements to the software. However, cloud hosting environments also yield the advantage of storing assets within a centralized environment rather than moving data across a variety of platforms and devices. 

"[T]his harms cybercriminals because they can only get a return on their investment in malware from the time it is launched to the point when endpoints are aware of it and block it," Rubens wrote. "Since cloud-based technology makes this window shorter, the potential to make profits decreases."

While there are some remaining concerns, such as access control, in regard to cloud security, a thorough vetting process can ensure that providers enable effective safeguards to meet their customers' data protection needs.