Compliance Management Challenges - Incomplete Coverage

Regulatory requirements are part of the business landscape for most businesses.  Regulatory compliance was cited as a driver for security investments by 40% of the respondents summarized in the March 2009 OWASP Security Spending Benchmarks Project Report.  This reflects one of the drivers for the development of industry, state, and federal regulations – the confidentiality and integrity of customer data.  Given the myriad types of businesses that draw value from this data, different regulations were developed to address requirements unique to those environments.  Unfortunately, most businesses do not list compliance among their core competencies.

According to Chris Noell, Executive VP of Product Management for TruArx, most companies only manage about 5% of the compliance requirements.  “In some cases, this is because organizations perceive that it will be too expensive to manage all their regulatory obligations so they focus on the ones that they perceive have the most teeth,” Noell said in a recent podcast. 

This approach, said Noell, can backfire in the long term.  The HIPAA HITECH Act, for example, states that the use of encryption to render sensitive communications unreadable exempts the organization from revealing the occurrence of a data breach.  Short-term non-compliance may prove harmless if the company is lucky.  However,  once personal healthcare information is compromised, that company would have to announce the breach.

Many companies believe that the requirements covered in the few regulations they do comply with are common to other mandates.  In order words, by complying with a few, they comply with all.  Edward Schwartz, CSO of NetWitness Corporation, points out that each regulation addresses requirements specific to a particular business area.   “Regulations are just designed to create a baseline,” said Schwartz,” – a minimal acceptable value, security standard, and lexicon for people to speak to when they talk to each other,” within an industry.

 Noell points out that businesses should leverage technology to assess all their compliance obligations.  “One thing nice about having a harmonized database of controls is that you can actually confirm how much overlap there is between various regulations,” said Noell.

In order to compete effectively, business must understand the regulatory issues that shape the business landscape.  Organizations should assess their compliance obligations.  Once determined, governance tools should be implemented to manage these obligations effectively.