Risk management is messy. The internet has known vulnerabilities, and regulatory issues seem to change faster than you can say “Privacy Shield.”
So why can’t security and compliance teams see eye to eye?
Sixty-four percent of IT executives feel confident that compliance will protect their company against breaches, according to Vormetric’s 2016 Data Threat Report. Couple this assumption with Trustwave’s finding that 77 percent of IT professionals are pressured to take IT projects public without “sufficient security protections,” and you see the beginnings of a broken system.
Security and compliance are permanently entangled. Teams that don’t collaborate effectively risk losing both. Learning how compliance and security operate now, and why teams disagree, is the first step towards bringing groups together.
Until recently, security and compliance teams have remained siloed. Compliance is traditionally a function of paperwork: sign here, initial there, make sure critical information is laid out and legally bound. Professionals in this field succeed by understanding and adhering to extensive legal frameworks.
Contrast that with security, a highly technical function that operates deep in the bowels of IT. Security teams continuously evolve their understanding of online environments, tuning and innovating protections against an unceasing torrent of Malware.
Now that forms are being validated online through software like DocuSign and ShareFile, and confidential data travels across innumerable consumerized cloud services, compliance and security overlap in many ways and the two will soon merge.
Online documents have brought compliance online and put paperwork into the realm of IT. To work with this new reality, teams must be clear on a few key things, otherwise the finger pointing will continue:
Business users would rather send an email with company intellectual property than try to remember yet another login and password. IT faces a different kind of feature sprawl: teams lose management and oversight – security intelligent monitoring, network breach detection, firewalls, event correlation and other security tools. When IT focuses on the handful of essentials that everyone will use—such as enterprise key management and end-to-end data encryption—and prioritizes apps that end users will actually engage with, the entire company is safer.
Becoming compliant in new ways will cost a company time, but resisting an evolution will have a negative impact on the business.
There will always be new malware, and new regulations show no signs of stopping their forward march either.
Privacy is seen as a consumer rights issue in the US, but to Europeans, it is a fundamental right—and transnational agreements are getting ever more complicated because of it.
Last year, the European Court of Justice decided that Safe Harbor rules were not specific enough to protect citizen data from NSA mass surveillance and backdoors. Reborn as Privacy Shield, the new transatlantic agreement promises to add more stringent reviews and give US agencies like the FTC broader enforcement powers.
Does adding layers of legal directives and pulling in more agencies really guarantee data privacy across the pond? The verdict is out, but the unfolding drama of Privacy Shield should serve as a lesson to every organization wishing to keep its data both secure and compliant: align the security and compliance organizations and concentrate on forward innovation.
While it may take time to establish, once alignment is achieved it will enable the teams to move forward with confidence and shift their focus back to the business. And that is a value proposition that everyone can appreciate.
By Kris Lahiri