Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Shop Talk: How Compliance and IT Can Get It Together

Joe Mont | July 17, 2012

Long gone are those times of yore, when “IT security” was universally understood to mean “hackers on the outside trying to break in and steal your data.” Spare a moment for those simpler days, now gone for good.

Today IT security can mean almost anything: threats coming from both inside and outside the company, done deliberately or through innocent—but dumb—mistakes, and in a new form almost every month. And the biggest fear is not necessarily loss of valuable company data; just as bad, or worse, can be the publicity or regulatory fines for the blunder.

Little surprise, then, that when compliance and IT security officers try to build effective solutions, they're more daunted and overwhelmed than ever.

“Compliance itself is very fragmented,” Michael Rasmussen, head of the Corporate Integrity consulting firm and fellow at the Open Compliance & Ethics Group, said at an executive forum hosted last month by Compliance Week and Secure Computing magazine.. Add in the IT department, he continued, and the sense of disconnection only grows.

Many IT departments are “ignorant about what a good compliance program should look like” and the legal and regulatory realm that companies face, Rasmussen told a group of more than a dozen compliance and IT security officers. “You talk to your typical IT security person and they're not aware of things like the [landmark] Caremark decision, or Stone vs. Ritter, which put clear obligations upon the board of directors to oversee that a compliance program is in place.”

Chief compliance officers aren't fully exonerated either, he added. The CCO may be “a technology Luddite” who doesn't fully comprehend how new technology can enhance and enable compliance processes.

“There is a lot that the compliance department can do to help educate IT security and build a consistent program around policies and delivering training programs,” he said. “IT security can really help educate a lot of the compliance function by showing how technology can automate and deliver a lot of these processes that are often quite a mess in organizations today.”

How challenging can it be to coordinate IT security and regulatory compliance? Gene Fredriksen, chief information security officer for Tyco International, gave the example of trying to steer his company to a more secure e-mail system worldwide. The idea was simple, but then came unexpected regulatory hurdles and data privacy laws that vary nation by nation and state by state.

“Take a basic service that we all take for granted and when you start to pull back the covers even something as simple as e-mail has massive compliance issues,” Fredriksen told the audience.

The tensions between IT and compliance departments are emerging more often as technology evolves—especially the advent of virtualization and cloud computing, which can indeed offer considerable cost savings to IT departments. That temptation to save money can lead to what Fredriksen described as the “ostrich defense,” a tendency to ignore tricky questions about data protection even though the U.S. Sentencing Guidelines make clear that a company can't abdicate that responsibility.

“The rush to move to virtualization and the cloud for cost savings is overriding the need to put risk controls in place,” says Sanjay Raja, director of product marketing for TippingPoint at Hewlett-Packard, and an expert in network, application, and cloud security. . “If I outsource to a cloud provider what happens then?” he asks. “Who is responsible for compliance?”

“Take a basic service that we all take for granted and when you start to pull back the covers even something as simple as e-mail has massive compliance issues.”

—Gene Fredriksen,
Chief Information Security Officer,
Tyco International

Raja said cloud services providers are often confused about what standards they have to follow. “They are looking at things like [Payment Card Industry (PCI)] or HIPAA as guidelines for being able to understand how to secure this data, but they really have no idea on exactly how they want to do this individually,” he said.

Raja says merely saying “trust us” is not acceptable for customers concerned about security and privacy issues.

“Customers are asking the providers to produce an audit report or a compliance report and, obviously, a lot of the providers are saying, ‘That's not something we can do.' But they are being forced into it. We are seeing some of them [realize] they are not going to be able to grow their customer base if they can't provide it.”

Some industries do have an easier time of melding compliance and IT security needs than others. In the healthcare sector, HIPAA—the nearly 20-year-old statute requiring protection of individuals' healthcare data—makes cooperation among the two functions a necessity.

Pictured here: Health Quest CISSP Chief Information Security Officer David Sheidlower (left); Federal Home Loan Bank of NY VP and Director of Information Security Kenneth Brothers (middle); and Joseph Santangelo, principal consultant at Axis Technology.

Panelists heard from Gene Fredriksen, chief information security officer at Tyco International, discussed how his company tackled the issue of moving to a more secure e-mail system worldwide.



Unfortunately, healthcare (and along similar lines, financial services) seems to be in the minority. In many industries, Fredriksen said, “The rate of change really tends to be a killer.”

“If once a month your security guy is running down the hallway with his pants on fire because there's a new regulation that got on the books, something is wrong,” he says. “In my world, I call that chasing raindrops. In this mode, every new regulatory initiative is a start from scratch. When HIPAA came out you had people that, rather than look at their program and find out what the gap was between their program and HIPAA and focus on those changes, they set up a new committee and they started from scratch with their own HIPPA-centric policies and those kinds of things.”

Fredriksen sees the ideal IT-compliance partnership as one where a company looks at new and emerging regulations and “only deals with the deltas”—that is, the change in process that might need to happen to satisfy the new rule. Mapping a new regulation to existing controls and then having IT and compliance work together to address gaps is the best way to eliminate redundancy, he said.

Reporting Structure

There are organizational issues for companies to consider, including the benefits or consequences of allowing compliance to exercise control over privacy and IT security. Also, who reports to whom.

“Does compliance have its own seat independent of legal, which is becoming the preferred model, or does it report in to the general counsel, which can actually water down the approach in a lot of instances?” asked Daniel Tannebaum, head of compliance – Americas for Travelex.

“When compliance had their own seat, they were freer to run with it,” he said.

Michael Rasmussen, principal analyst of GRC360° Research, illustrated some ways the compliance department can help educate IT security.



“There is a push by government to have compliance report outside of legal,” Rasmussen said. “Compliance's goal is to really find and fix problems. With legal it is sometimes to protect and deny. And so, these can be at odds against each other. Even the latest revisions to the U.S. Sentencing Guidelines talks about compliance having access to the board themselves.”

As important as building a bridge between IT and compliance is getting company leadership to commit to, and encourage, a holistic approach.

“Do compliance and information security groups need to come up with some kind of ROI or cost of doing nothing?” asked Joseph Santangelo, vice president of business development and principal consultant at Axis Technology. “In general, it always seems like the sky is going to fall and that's why we have to do it. But does anyone have to come up with a quantitative measure for either doing, or nor doing things?”

“Benchmarking is critical,” suggested Fredriksen. “The goal is to report to the board that you have benchmarked yourself against four or five industry peers and be able to state that your compliance policies and security programs are equivalent in these areas that reflect best practice.”

“We definitely try to sit down with [management] as they grow to try to show them what it is really going to cost,” Tannebaum said. “What's this license going to cost? Do we have to maintain a bond locally with the government or with the municipality? It is definitely key to show them that.”

“Nobody wants to be the business prevention officer, whether you are IT or compliance. None of us want to be labeled that,” he added. “But it is so easy to go that route and just say no, because we can and because that's what we are paid to do in a sense. But it is more satisfying to work with the business as they try to grow.”