Tag Archives: security compliance program

An attribute of a mature security compliance program

The security compliance program of an enterprise is a core function in the achievement of sales, maintaining regulatory and contractual obligations, meeting the security challenges in a connected world, and achieving a balance of consistent operations while returning a profit for the business. A challenge within these programs, and especially for businesses do that do not have a consolidated mature program operating at the executive level is the transparency of cost and improvement of margins within operations.

Transparency of cost relates to the costs of supporting compliance, security, and privacy requirements within products and services. The lack of transparency can exist in many areas, but this article focuses on the specific costs related to reporting to third parties on the state of the compliance and security program. Cost of such can exist in any of the following scenarios:

  1. Sales person seeking to close a sale brings onboard an engineer and product manager to speak to / commit on security and regulation safeguards. Such initiation of new agreements may require a 250+ questionnaire to be completed by such an engineer that typically requires additional parties to respond – resulting in roughly 30-50 hours of engineer time x % of new deals signed annually)
  2. Help desk pulling in engineers to respond to security / compliance question submitted online (roughly 1-3 hours of engineer time x # of customer requests)
  3. Annual queries directed at engineers, leadership, product managers, and sales teams demonstrating security and compliance programs exist or controls specific to customer request are satisfied. Such annual queries may involve questionnaires as mentioned above (30 hours approximately to address), on-site audits, and 3rd party audit reports.

The end result of this singular area of cost is time taken from valuable engineers away from developing product, improving product, and executives focused on tactical activities. In addition, a non-optimized security compliance program does not gain any leverage by the above activities, so each activity is repeating past work. Zero scale is achieved.

Reflecting on your organization, improvements can be gained. An attribute that has proven beneficial is to consider the following that easily measurable and can be tracked:

  1. What is the unique number of security and compliance controls deployed within the products & services?
  2. What is the number of queries for each period?
  3. What is the number of FTE hours to address these queries? (the above are averages that I have seen, but analysis is worth refreshing for your organization)
  4. What is the number of interactions the individuals have with the customers?
  5. What is the current central approach to meeting the needs and responding to such queries?

The last question is leading to the idea that the program should be centralized in a manner to manage these questions centrally. This provides scale, lessons learned, and coordination across the business. The program itself when designed and tracked in such a manner becomes part of the sales process, account maintenance, and a regular touch point for the customer. Establishing the proper executive leadership and integrating this program is critical to every direct to consumer business, and more so for the rapidly growing technology services sector.

Thoughts?

James DeLuccia

Rethinking what security controls you MUST address

In 2008 I wrote a book, partially on the premise of cross mapping regulations together in a manner to build a common control framework for enterprises. The genius here was to address all requirements placed upon the business to meet their unique security and regulatory footprint. The more and more I work with senior leadership of businesses and security professionals I recognize there is a gap. The security professionals pushing for tighter and richer security safeguards, and the business seeking sales.

Upon reflection I realize that there is a gap in the broader approach and a blind spot that I and others likely have in enterprises, and that is the customer requirements.

Specifically, the cross mapping I proposed is correct but it did not go far enough, and from my analysis nobody goes far enough. Therefore I would propose enterprises and security compliance programs in general consider expanding their programs to include Market requirements.

Screen Shot 2013-01-09 at 3.47.49 PM

The mapping would be from customer requirements (such as SEC, IRS, and specific industry best practices) to the security controls of the business itself. This would influence and ultimately increase the security of the service. In addition, sales blockers would be removed and ongoing associated costs with maintaining accounts would equally be reduced.

A common statement / question: What are all the things we need to compliant with in the world?

Corrected question: What do our clients need to be compliant with when using our services?

(the first question absolutely must be understood and ideally is a known variable, so this corrected question is the evolution of thought and the program itself)

A shift in my thinking over the past year, and one I hope can be further debated and evolved.

Kind regards,

James DeLuccia