21st November 2012
Multiple security and compliance point solutions can all too often combine to obscure an organisation’s view of its data assets. This makes the task less assured – particularly for Small and Medium-size Businesses (SMBs). But there may be easier ways to ensure adequate levels of security and, therefore compliance.
Information security compliance is big business for many software vendors. As the threat landscape evolves, organisations of all sizes are becoming increasingly reliant on information security programmes to manage their data assets. And the explosion of social media, mobile and other online services complicates the risks to corporate information systems even further.
Larger enterprises are better placed than smaller businesses to travel the long and complex compliance journey. They have deeper pockets and greater access to expert resources to make their risk management and information security compliance investments count. Their challenge is more about how to consolidate information – how to correlate data from disparate information security solutions into meaningful and actionable intelligence.
“For the trading partners and regulators relying on SMBs to self-certify, what assurances can they have that security compliance solutions are being used as intended?”
But at the other end of the spectrum, are the leading enterprise brands lulling smaller organisations into a false sense of security? Smaller organisations are expected to buy the same costly, unwieldy enterprise information security compliance solutions but often lack the resources to deploy and manage them effectively. And for the trading partners and regulators relying on SMBs to self-certify, what assurances can they have that the systems are being used as intended?
Enterprises have long-established investments in people, process and technology to combat the threats to their corporate assets – in many instances, regardless of mandated regulatory requirements. Businesses have become more heavily dependent on digitally enabled commercial relationships, and their perimeter networks have extended to include their trading partners. Compliance standards such as ISO 27001/27002 (commonly known as ISO27K) are well respected and frequently adopted voluntarily, while new industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS), have emerged to address the increased risks associated with a more open online trading environment.
As large enterprises adopt and comply with these standards, they expect their trading partners, many of whom are SMBs, to follow suit. Over the past few years, the pressure on SMBs has increased. Large corporations have sought to impose new standards on SMBs to ensure that they comply with their trading requirements. But SMBs face bigger challenges and meeting these expectations is often a struggle. SMBs tend to have fewer security structures and controls in place. They are also short on spare capital and dedicated security resources. For these reasons they will often hold back on investing in individual compliance solutions until forced to do so by their trading partners or until budgets become available.
“SMBs would be better served by a more straightforward, integrated approach that can help them make sense of data and turn it into actionable information”
Even more recent information security standards, such as PCI, have their roots in the enterprise. PCI and many other standards are a derivative of ISO27K, but unlike ISO27K, they do not consider risk – instead they are more like a wish list for perfect security. Essentially they represent an all-for-one, one-for-all approach demanding significant resources and budgets to match. As many SMBs have discovered, this approach is simply not practical in real life. Instead, SMBs would be better served by a more straightforward, integrated approach that can help them make sense of data from diversse sources and turn it into actionable information.
The enterprise-led approach to risk management forces SMBs, bound by law or industry regulation, to invest in the usual point solutions to meet their compliance and information security obligations. Competing on feature functionality, these solutions have a broad set of attributes with too much functionality to ever be fully utilised by SMBs. Often it’s a high price to pay for a reactive rather than strategic approach to information security compliance.