Has your company or a company you know of failed a compliance audit? Many security models are built off of the necessity to meet compliance regulations. While it is understandable to build compliance-driven security initiatives, it is not a best practice.
Some of the many reasons that companies build compliance-driven security initiatives, is that they are trying to reduce cost and time spent. However, there is a win-win to data security that goes beyond just saving time and money achieving compliance, but that starts with accurately identifying and classifying the sensitive data that needs to be protected. This can achieve both, compliance and security initiatives, quickly and inexpensively.
Our conversations with potential customers suggest that the reasons why folks primarily worry about compliance are many:
- If my security program is compliant with regulations X, Y or Z, I can’t get fined because I am putting forth reasonable effort
- The folks writing the regulations know what they’re doing, so I’m secure if I just do that
- Our industry / company isn’t really targeted, and / or we haven’t been breached
- Our budget is too small to thoroughly protect ourselves, and so by necessity we need to just focus on being compliant
Often times, failing a compliance audit propels rapid action and can break loose budget increases here and there, especially if aided by misconceptions like the ones above. However, achieving compliance alone is not sufficient anymore to reduce corporate exposure to information security risk.
For one, a failed audit may be the motivating driver but being in compliance does not only not guarantee protecting your sensitive data, it increasingly also does not insulate from penalties, as recent rulings suggest.
- Recent penalties and fines for have ranged from hundreds of thousands to as high as $25M, in many cases to organizations that thought of themselves as having been in compliance
- Also, most of the organization that experienced spectacular hacks were in compliance, and thus while compliance is clearly necessary, it is not sufficient to achieve information security
A second reason for why compliance is not the same as security is because some data is not regulated. Intellectual property, for example, or other forms of valuable data that does not fall under regulations like personal emails, corporate sales data, or upcoming product information are all types of unregulated data that nevertheless are highly sensitive, and losing them could mean financial exposures.
Having now illustrated why being in compliance is not the same as being secure, it’s also important to understand what the consequences are of not being in compliance vs. not being secure if a breach event happens. This little decision tree illustrates the consequences and likely costs:
The win-win is that by knowing where your sensitive data is, compliance AND security improve without slowing things down or adding costs:The need to not only be compliant, but also to implement an effective security strategy while striving for compliance, the question then is how to do so without driving up costs or complexity beyond the original, compliance driven goals. The short answer is that this starts with classification so you know where your sensitive data resides.
- You can be compliant with PCI, HIPAA and other standards using data classification
- By knowing where the sensitive data is you know which security strategies can best be leveraged to protect it and makes your overall security spend more efficient
- Automation, accuracy and persistence are key to effective data classification
- You can protect both structured and unstructured data, no matter what type of sensitive data, and deploy not just manual but also automated classification
Combine both worlds: To prevent data breaches and identity theft AND be compliant