Does addressing risk-based security decisions for your organization mean that you are also compliant in the eyes of the auditors? This is a general question Ericka Chickowski addresses in her recent article for Dark Reading – “Mapping Compliance Proof To Risk-Based Controls.” It is a compelling article that addresses a debate our industry has faced for years now. It’s also a topic that comes up frequently when I meet with CIOs and CISOs, so I thought I’d add my perspective on top of Ericka’s article.
In most organizations, there is a naturally high correlation between reducing risk and addressing compliance. However, risk management typically takes into account both the likelihood and potential cost associated with of a security breach, and puts in place controls accordingly. Compliance (as measured by auditors) typically takes a much more broad-brush approach and doesn’t do much to discern true risk from potential risk. Unfortunately, this can result in a lot of excess time, energy, and cost being expended without providing a lot of value. This is the “check-box” approach that we all have to be careful to avoid.
While no one in IT can argue against the need to address compliance requirements, it’s important to remember that compliance should not be an end goal in itself, but rather a means to effectively manage IT risk. This is especially a concern as organizations must now face growing and complex IT environments due to the proliferation of cloud technologies and mobile devices, which are significantly increasing their IT risk exposure.
Fortunately, more and more organizations are taking a risk-based approach to compliance. To do that, user populations and IT resources need to be categorized according to the potential damage a security breach could represent, if it occurred. Once categorized, controls can be designed to appropriately address the highest areas of risk with the highest degree of oversight – and the lowest degree of oversight over the areas that represent the lowest areas of risk. Compliance officers can then work hand-in-hand with their security counterparts to demonstrate to auditors that the appropriate controls are in place to address both risk and compliance. Remember, most legislation driving compliance is not prescriptive – it is the interpretation of the auditor that determines what compliance really means.
Due to the complexity of user population access privileges in most organizations and the plethora of systems, applications, databases, etc. in large IT environments, doing this categorization manually is, unfortunately, just not possible. And even if it were, it would quickly fall out of date due to the ongoing churn represented by people joining, leaving, or moving to new positions within the company. The good news is that next-generation IAM solutions (like SailPoint IdentityIQ) enable a risk-based approach to IAM, thereby providing a direct path to aligning compliance and security while addressing enterprise risk.
What is your stance on this debate? Do you think addressing risk management also means that you have taken the proper steps to address compliance?