Today I spoke with Marne Gordon, IBM Security’s Expert on Governance Risk and Compliance Issues. The topic of our discussion was the concept of Compliance Fatigue. This conversation is captured as a podcast at http://ow.ly/psZD, but is documented below. Some useful links have been added.
1. Tell us about Compliance Fatigue.
Customers have told us that as they integrate globally, they have become tired of the increased complexity and cost associated with compliance management activities. Individuals and organizations have simply been overwhelmed with the amount of information security and privacy regulation in the past few years, and the prospect of more to come. When organizations become overwhelmed by compliance, the greatest temptation is to do nothing. But this is a mistake, security exposure, as well as legal exposure, and abandonment of ethical and moral obligations to customers, partners, shareholders, etc. are genuine risks.
2. Realistically, what is the biggest threat to information security? To compliance?
There has been a lot of buzz recently regarding state sponsored cyber attacks on US organizations and IP addresses. While this threat is high profile, it is not prevalent. US government officials are less worried about foreign-based cyber attacks than they are about garden variety insider threat. Insider threat has become the #1 source of concern for the information security community because it is often the most difficult type of activity to detect and mitigate. By virtue of their employment status, trusted insiders have access to our most sensitive system resources and data assets. How can an organization realistically defend against the malicious (or even accidental) actions of a trusted insider?
3. How much compliance is "enough"?
Often companies view compliance as a checklist -- a series of action items to be completed and then the project is "done". This is not a realistic view of infosec compliance, and can actually leave the organization with a poor security posture. Just like information security, compliance does not end, and organizations must remain vigilant to maintain a high security/compliance posture. This is where fatigue sets in. Most organizations are subject to multiple regulations -- from the Federal and state governments, and depending upon business model, international requirements. The best approach is to take an enterprise-wide view of information security controls deployment, and using the information security program to fulfill multiple compliance mandates.
4. How can someone learn more about the topics of security governance, compliance and risk management?
I have a video on YouTube where I address Insider Threat and Compliance. You can view it at http://www.youtube.com/watch?v=-vH3CKgCkqM. Furthermore, my colleague, Calvin Powers, often blogs on these type of topics at https://www-951.ibm.com/blogs/visible/. For a view IBM’s compliance management offerings please go to www.ibm.com/security
Join IBM’s security community at X IBM’s security Linkedin community at http://www.linkedin.com/groups?gid=1846255