News

Regulatory Compliance Skewing Security Budgets

• By John K. Waters
• May 16, 2005

Between 30 to 60 percent of the security budget increases in the last two years can be tied directly to compliance, according to analysts at Nemertes Research.

“That can’t be seen as anything but starving other initiatives,” says Andreas Antonopoulos, senior VP and founding partner of Nemertes, which specializes in evaluating the business impact of emerging technology. “Regulations are forcing companies to tip the balance toward a specific risk posture that is not necessarily applicable to them.”

The problem with SOX, HIPAA, GLB and the like, Antonopoulos says, is that the regulations assume a standard of corruption and ethical laxity that is very low. When you apply that standard to a company with a strong ethical core, what you get is over-burdensome legislation that is skewing budgets toward initiatives that are not necessarily addressing a company’s true security risks.

“That’s what really ticks off the CIOs, CTOs and CSOs,” Antonopoulos says, “because it takes away their ability to make basic strategic decisions about which risks they are most concerned about. Maybe they’re not worried about the risks of the CFO messing with the books, because the structure of the company isn’t one that is driven by stock growth, or the CFO just isn’t like that. They know that they have less exposure to that threat, and they want to be able to dedicate their resources to the exposures they’re most worried about—things like identity theft or disaster recovery.”

The solution: a security framework, such as the ISO 17799 security standard and/or Control Objectives for Information and related Technology.

“You can keep playing catch-up with these regulations, but your representatives on the Hill can write them much faster than you can comply with them,” Antonopoulos says. “When you structure your security organization, policies, procedures and technology around a standard framework, each new regulation is just a mapping onto a broader framework.”

Perhaps more important, Antonopoulos says, this approach allows for, if not a positive view of regulation, a more proactive approach to compliance that is likely to keep overhead down. “You implement security based on good, solid frameworks, which happen to comply with the regulations as a side effect, rather than hoping that complying with the regulation will bring good security,” he says.

Most of the participants in a recent Nemertes survey (“Securing the Enterprise: Vol 2, Regulatory Compliance,” published in April) indicated that they are spending some of their security budgets on regulatory compliance. Nearly half the participants said they are investing in policy development and documentation, and more than half are investing in regular audits to verify the adoption of those policies. Twenty-eight percent are spending on identity management; 23 percent are spending on encryption.

More information is available at: www.nemertes.com.