The security compliance program of an enterprise is a core function in the achievement of sales, maintaining regulatory and contractual obligations, meeting the security challenges in a connected world, and achieving a balance of consistent operations while returning a profit for the business. A challenge within these programs, and especially for businesses do that do not have a consolidated mature program operating at the executive level is the transparency of cost and improvement of margins within operations.
Transparency of cost relates to the costs of supporting compliance, security, and privacy requirements within products and services. The lack of transparency can exist in many areas, but this article focuses on the specific costs related to reporting to third parties on the state of the compliance and security program. Cost of such can exist in any of the following scenarios:
- Sales person seeking to close a sale brings onboard an engineer and product manager to speak to / commit on security and regulation safeguards. Such initiation of new agreements may require a 250+ questionnaire to be completed by such an engineer that typically requires additional parties to respond – resulting in roughly 30-50 hours of engineer time x % of new deals signed annually)
- Help desk pulling in engineers to respond to security / compliance question submitted online (roughly 1-3 hours of engineer time x # of customer requests)
- Annual queries directed at engineers, leadership, product managers, and sales teams demonstrating security and compliance programs exist or controls specific to customer request are satisfied. Such annual queries may involve questionnaires as mentioned above (30 hours approximately to address), on-site audits, and 3rd party audit reports.
The end result of this singular area of cost is time taken from valuable engineers away from developing product, improving product, and executives focused on tactical activities. In addition, a non-optimized security compliance program does not gain any leverage by the above activities, so each activity is repeating past work. Zero scale is achieved.
Reflecting on your organization, improvements can be gained. An attribute that has proven beneficial is to consider the following that easily measurable and can be tracked:
- What is the unique number of security and compliance controls deployed within the products & services?
- What is the number of queries for each period?
- What is the number of FTE hours to address these queries? (the above are averages that I have seen, but analysis is worth refreshing for your organization)
- What is the number of interactions the individuals have with the customers?
- What is the current central approach to meeting the needs and responding to such queries?
The last question is leading to the idea that the program should be centralized in a manner to manage these questions centrally. This provides scale, lessons learned, and coordination across the business. The program itself when designed and tracked in such a manner becomes part of the sales process, account maintenance, and a regular touch point for the customer. Establishing the proper executive leadership and integrating this program is critical to every direct to consumer business, and more so for the rapidly growing technology services sector.
Posted in audit, Compliance, IT Controls, Risk Management
Tagged 2013, best practices, infosec, it compliance and controls, IT Controls, james deluccia, jdeluccia, maturity, scale, Security, security compliance program, vendor audits
As greater number of enterprises transform their products and services into a manner that allows delivery to clients directly, the increased dependency creates obligations to both parties. Specifically as technology services are adopted by enterprises and greater dependency is placed upon the relationship, regulations and customer requirements will be pushed to these service providers. This typically does not occur immediately, but only after the delivered services begin to become more integrated and reach a material state within the enterprise. (An example would be leveraging a cloud service provider for farming specific servers that then become the financial reporting servers which introduces SEC, IRS, and SOX requirements)
The establishing of a developed security compliance program is paramount to meeting customer requirements in a timely manner, actually having appropriate security and compliance safeguards, and ensuring the business maintains a profitable service.
The maturity, responsiveness, and adequacy of the security and compliance controls are discussed by me before, so they will not be a focus on this article. Instead I want to highlight the third requirement – which the business may consider MORE important and that is profitability.
The common program experiences the following scenario:
The growth is great and responding to customer requirements is expected. The surprise for most businesses is the direct 1:1 relationship that exists and the lack of scalability without some program in place. As the business sells more, and the clients become more dependent the need and requirement to keep the customer increases. To the point that such inquiries will begin with simple SOC / Certification confirmations and evolve to questionnaires and detailed on-site audits in some cases. These activities also generally impact the engineers of product and service development directly.
Instead, establishing a centralized program improves the visual above to show a more staggered growth rate on level of effort and FTE costs associated with the security program. Therefore providing better margin and sustainability through scale and coordination.
This is a singular example of the value of a security compliance program that is developed. What other attributes exist?
Posted in Compliance, IT Controls
Tagged 2013, best practices, cloud computing, cloud services, Compliance, cybersecurity, information security, IT Controls, james deluccia, Security, security compliance, service provider, technology sector
In 2008 I wrote a book, partially on the premise of cross mapping regulations together in a manner to build a common control framework for enterprises. The genius here was to address all requirements placed upon the business to meet their unique security and regulatory footprint. The more and more I work with senior leadership of businesses and security professionals I recognize there is a gap. The security professionals pushing for tighter and richer security safeguards, and the business seeking sales.
Upon reflection I realize that there is a gap in the broader approach and a blind spot that I and others likely have in enterprises, and that is the customer requirements.
Specifically, the cross mapping I proposed is correct but it did not go far enough, and from my analysis nobody goes far enough. Therefore I would propose enterprises and security compliance programs in general consider expanding their programs to include Market requirements.
The mapping would be from customer requirements (such as SEC, IRS, and specific industry best practices) to the security controls of the business itself. This would influence and ultimately increase the security of the service. In addition, sales blockers would be removed and ongoing associated costs with maintaining accounts would equally be reduced.
A common statement / question: What are all the things we need to compliant with in the world?
Corrected question: What do our clients need to be compliant with when using our services?
(the first question absolutely must be understood and ideally is a known variable, so this corrected question is the evolution of thought and the program itself)
A shift in my thinking over the past year, and one I hope can be further debated and evolved.
Posted in Compliance, IT Controls, Risk Management
Tagged 2013, best practices, cio, ciso, Compliance, control mapping, cybersecurity, information security, infosec, it compliance and controls, IT Controls, james deluccia, jdeluccia, security compliance program, vice president
I read a short section in Bruce Schneier’s book Liars and Outliers that tells the tale of Jamaica Ginger:
“an epidemic of paralysis occurred as a result of Jamaica Ginger… it was laced with a nerve poison… and the company was vilified”, but not until 10s of thousands were victims, this resulted in the creation of the FDA.
To date, throughout most industries there is no absolute requirement with meaningful incentives to introduce and sustain operational information technology safeguards. There are isolated elements focused on particular threats and fraud (such as, PCI for the credit card industry, CIP for the Energy sector, etc…). So what will result in the Jamaica Ginger of information security?
Some portend that a cyber-war (a real one) that creates such societal disruption; a long enough sustained negative impact to survive the policy development process, and driven enough motivation to be complete. OSHA, FDA, and other such entities exist as a result of such events.
The best action enterprises can follow is to mature and engage sufficient operations that address their information technology concerns in the marketplace. As a means of self preservation; selfish (perhaps) demonstration of a need to NOT have legislation or a body established (such as the Federal Security Bureau), and ultimately preparedness should such a requirement be introduced the changes to your business would be incremental at best.
Posted in audit, Compliance, IT Controls
Tagged 2013, best practices, china, Compliance, cybersecurity, europe, fines, fisma, it compliance and controls, IT Controls, james deluccia, jdeluccia, pci, PCI DSS, regulation, Security
An interesting discussion I had the other day raised the point:
What do we need for perfect security?
Defining perfect and security itself is difficult, but let us simply state…
- Perfect = zero events that cause competitive harm
- Security = operational integrity of environment
(note this is not restricted to a specific type of system, but directed towards the business concerns as a whole).
Over the dialogue we ended across the use of standards to establish the governance and security architectures; we delved into the pizza box kitchen, and of course serious amounts of detection / prevention activities. Ultimately though we ended at a higher level of abstraction that is far more important… at least initially.
Perfect Security is defined on what the business will permit to occur. How many breaches, of what severity (physical and in person), and by what individuals is acceptable? Understanding the risk tolerance on activity and operating at that state of operations is far more crucial, as the entire security-compliance program results from this level of acceptance.
Thus, as we enter the New Year, and the security summits / executive committees are coming together … ask:
- What is our risk tolerance
- What is the straw that will be unacceptable by the stakeholders, stockholders, and simply the community as a whole.
- Define the feeling of the event, detail the services that are being discussed, and equate possible outcomes.
The idea is to not have days of risk threat discussions, but determine the level of acceptance and allow the practitioners and SMEs in the business to execute. Similar to the hierarchy of documents – Strategy should be defined via policy and then allow the competency centers of excellence to do what they love and are paid to do at the business.
Posted in IT Controls, Risk Management
Tagged 2013, best practices, cio, ciso, Compliance, cybersecurity, it compliance and controls, IT Controls, james deluccia, jdeluccia, perfect security, security summit