Managing Compliance Risk

By Tom Schmidt

As the regulatory compliance landscape becomes steadily more complex, the risks associated with noncompliance grow more costly. Within IT, the challenge lies not only in achieving compliance, but also in sustaining it when faced with overstretched staffs and budgets. This article considers the prospect of leveraging IT to drive growth while adhering to government mandates.

Compliance emerges as key driver
Any doubts about the role regulatory compliance plays as a driver of information security initiatives should be dispelled by the results of a global survey released in November. In an Ernst & Young survey of 1,300 organizations worldwide, nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives.

"The sheer number of regulations and the consequences of not complying have brought information security into the boardroom," the report stated. "Yet many organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business."

At least one security manager who spoke with Computerworld about the survey doesn't intend to let those opportunities pass her by.

"I think this is a great opportunity to rethink security spending, because it shifts the focus from the reactive work of incident response to more proactive controls and helps us to focus on best practices," said Kim Milford, information security manager at the University of Rochester in New York.

The cost of compliance
U.S. companies are on track to spend $15.5 billion this year on compliance projects, according to AMR Research. Approximately one-third of that total involves IT spending on compliance.

Such spending activity has contributed to a change in the prominence of the CIO at many organizations, according to some industry observers. For example, CIOs are now working more closely with their counterparts in the executive suite, they say. Many CIOs in the 1990s lacked access to the CEO or CFO. Moreover, many organizations didn't have compliance officers in place.

According to a study conducted earlier this year by CIO Insight, fully 58% of CIOs now report to their CEOs, compared with 19% of CFOs and 14% of COOs. The study also found that CIOs now spend 51% of their time focused on business issues and 49% of their time on IT issues.

The study also found that, in terms of compliance, 56% of large companies (with $1 billion or more in revenue) now require CIOs to certify financial results.

The bottom line is that, in today's regulatory environment, more organizations are coming to the understanding that their CIOs must have a seat at the executive table during strategic business discussions.

Automating the process
Until recently, most compliance initiatives were approached with dread. That's because, in many instances, manual processes and weak business controls undermined the initiatives. Progressive companies, however, are beginning to use current and emerging technologies as enablers to redesign their business processes in ways that will help them achieve their strategic objectives.

They may have no choice. Compliance is a daunting task, and enterprises are already under extreme resource constraints. They must also conduct business in an ever-changing threat environment. (To take just one example, in the first half of 2005, when more than 10,866 new Win32 viruses and worms were documented, an increase of 48% over the 7,360 documented in the second half of 2004.) As a result, savvy enterprises are adopting solutions that automate the process by proactively monitoring and measuring their compliance with security practices and regulations, ensuring that all of their systems are compliant.

The following three-step process can help organizations achieve and, more importantly, sustain compliance with information security mandates:

• Assess the current compliance posture and associated risks and vulnerabilities across the enterprise
• Design and implement IT controls for information security
• Implement an automated, consistent, and repeatable process for testing, measuring, remediating, and reporting on the state of IT controls

The end result: A deeper understanding of the regulatory impact on IT security, decreased risk through a stronger IT control structure, and an efficient and cost-effective process for managing the compliance process across the enterprise.

Profiting from compliance
The relationship between corporate compliance and new revenue opportunities is also becoming increasingly clear. For instance, many major insurance firms now equip their mobile sales forces with wireless notebooks to more effectively engage or service their clientele. Those notebooks speed customer claims processing and hasten new revenue opportunities.

However, insurance firms must also safeguard those systems from probing eyes or data loss. Customer data needs to be protected while on the systems and safely moved offline to fulfill longer-term compliance mandates.

Likewise, a recent study by the Ponemon Institute found that companies with superior information security and privacy practices reap market benefits. The Institute works with Fortune 500 companies to address data protection, risk management, and security requirements for IT organizations. As reported on compliancepipeline.com:

"Ponemon's organization found that companies with superior data-protection practices earn a 2.5% higher participation (opt-in) rate and a 0.32% higher conversion (click-through) rate in online marketing promotions. While these percentage increases may seem small, they can translate into substantial profitability gains for a company building a business online."

The following steps can help ensure adherence to regulations while driving revenue growth:

• Get boardroom buy-in. As we've seen, revenue, profit, and compliance strategies are interrelated and require the board of directors' full attention and support.
• Document and automate. Formalized, written procedures help protect a business and allow it to focus more time on growth opportunities.
• Audit frequently. Controls should be inspected regularly to identify weak points in the business operations.
• Spread the word. Non-confidential revenue, profit, and compliance goals should be shared in formal business communications with employees.
• Stay flexible. Goals should be adjusted regularly based on business conditions and emerging regulations.

Conclusion
Today's real-time enterprises need to evolve their compliance efforts from ad hoc projects to cost-effective and efficient processes that can be applied across various compliance initiatives involving the security and availability of information. Enterprises also stand to gain the most by approaching compliance as a strategic initiative. A strategic approach helps enterprises better understand and mitigate compliance risks, improve the IT control structure, and increase efficiencies across the organization.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.