Regulatory Compliance Skewing Security Budgets
- By John K. Waters
- May 16, 2005
Between 30 to 60 percent of the security budget increases in the last two years
can be tied directly to compliance, according to analysts at Nemertes Research.
“That can’t be seen as anything but starving other initiatives,”
says Andreas Antonopoulos, senior VP and founding partner of Nemertes, which
specializes in evaluating the business impact of emerging technology. “Regulations
are forcing companies to tip the balance toward a specific risk posture that
is not necessarily applicable to them.”
The problem with SOX, HIPAA, GLB and the like, Antonopoulos says, is that the
regulations assume a standard of corruption and ethical laxity that is very
low. When you apply that standard to a company with a strong ethical core, what
you get is over-burdensome legislation that is skewing budgets toward initiatives
that are not necessarily addressing a company’s true security risks.
“That’s what really ticks off the CIOs, CTOs and CSOs,” Antonopoulos
says, “because it takes away their ability to make basic strategic decisions
about which risks they are most concerned about. Maybe they’re not worried
about the risks of the CFO messing with the books, because the structure of
the company isn’t one that is driven by stock growth, or the CFO just
isn’t like that. They know that they have less exposure to that threat,
and they want to be able to dedicate their resources to the exposures they’re
most worried about—things like identity theft or disaster recovery.”
The solution: a security framework, such as the ISO 17799 security standard
and/or Control Objectives for Information and related Technology.
“You can keep playing catch-up with these regulations, but your representatives
on the Hill can write them much faster than you can comply with them,”
Antonopoulos says. “When you structure your security organization, policies,
procedures and technology around a standard framework, each new regulation is
just a mapping onto a broader framework.”
Perhaps more important, Antonopoulos says, this approach allows for, if not
a positive view of regulation, a more proactive approach to compliance that
is likely to keep overhead down. “You implement security based on good,
solid frameworks, which happen to comply with the regulations as a side effect,
rather than hoping that complying with the regulation will bring good security,”
Most of the participants in a recent Nemertes survey (“Securing the Enterprise:
Vol 2, Regulatory Compliance,” published in April) indicated that they
are spending some of their security budgets on regulatory compliance. Nearly
half the participants said they are investing in policy development and documentation,
and more than half are investing in regular audits to verify the adoption of
those policies. Twenty-eight percent are spending on identity management; 23
percent are spending on encryption.
More information is available at: www.nemertes.com.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at [email protected].