Dominique Levin, Executive Vice President of Strategy at LogLogic: Forecasting Compliance Strategies for 2009
April 2009 by
With the way the economy is going, CIOs will need to maximise their existing investments in software and services as 2009 will be a year of "good enough" purchases rather than bells and whistle deals.
Of course, businesses are no less accountable for data security and compliance in economic down years as they are in good times. They will always need to minimise risk and protect corporate data. Here we’ll attempt to address the compliance challenges CIOs will face this year, and further on discuss the opportunities CIOs and IT managers should consider for compliance solutions.
Key compliance challenges for 2009
1. Knowing where your data is.
Where is your data? Various iterations of the same data might be in an email attachment, uploaded to the corporate wiki, sitting on a virtual server or hiding on a mobile phone. By contrast, sensitive information could be posted to Facebook, leaked on an employee blog or floating around Twitter. Where is your data exactly, and who has access? Data governance is not a new issue for enterprises, but over time virtualisation, cloud computing, mobile devices and the proliferation of Web 2.0 are making data harder and harder to track.
In 2009, virtualisation and cloud computing will become even more attractive approaches to cutting storage costs and hardware investments. The jury is still out, however, with regards to correct security policies and procedures for these two technology industries. Making sure virtual and cloud assets are held in compliance with mandates like the Payment Card Industry Data Security Standard (PCI DSS) will be a growing challenge, particularly with data stored in the cloud. If customers aren’t given insight into how vendors treat their information, any breach has the potential to cut incredibly deep into multiple customer data stores.
2. Managing access of privileged users and insider threats.
If you don’t believe that insider activities pose a threat to your organisation, take a look at the myriad of reports released last fall by Gartner, Cisco, Verizon Business and PricewaterhouseCoopers, and you’ll read about the increase in insider threats businesses are experiencing. It’s only human nature to be curious, but imprudent curiosity violates personal privacy, even if it is meant to be innocent. Security threats often circles around external hackers from cyberspace, but it’s time to realise that internal threats can be just as damaging, if not more so, than an external breach.
Compliance has always been focused on monitoring internal activities, but the challenge will be to maintain an accurate view of insider activities while companies potentially lay off additional staff, increase outsourcing or their remote workforce and try to find new sources of operational intelligence. Monitoring insider activities is a good first step towards accountability.
Making the best of a difficult 2009
While there are challenges abound to achieve and maintain a secure and compliant enterprise in 2009, CIOs can leverage several technology and market trends to their benefit.
1. Encouraging innovation despite a global economic downturn
While businesses struggle between passing their compliance audits and trying to find new ways to innovate, forge into new markets and gain competitive advantage, something will have to give. Or, will it? IT vendors may adapt quickly to address today’s challenges by stretching their core technologies to meet higher bars for customers. Open API-based innovation, and collaboration between networks of external and internal developer communities may gain a lot of ground as a cost effective option for enterprises to combine commercially available solutions with in-house and community-developed building blocks.
2. Stretching every pound
One of the most important things for enterprises to focus on this year will be to leverage existing and new investments for multiple use cases. Some compliance investments could also be re-used by other parts of the organisation to save costs or improve operational performance. For example, user-activity monitoring technologies required to manage privileged users also provide better visibility into system performance. Thus, a compliance investment could also help lower the costs of service desk operations and make it faster and cheaper to pinpoint and resolve performance problems in IT.
3. Support from the top
Following very public security leaks last year, the public sector needs to address privacy issues for the digital age to hold government and businesses accountable for violations of personal privacy. This is what regulatory compliance is all about — requiring businesses and organisations that hold customer, patient or civilian information to be responsible for what happens to that data, and accountable if or when something goes wrong. Though compliance is often viewed as a tedious checklist of hoops that businesses must jump through to “keep the lights on”, these mandates are meant to establish a minimum standard for protecting individuals. And, of course, there are serious consequences for those businesses, healthcare organisations and government departments that fail to reach that standard.
The fact that the British public and press are so focussed on accountability around security leaks can only help CIOs to raise compliance as a top concern with management and the board of directors. It may also free up funds to address compliance-related projects.
No matter what happens this year, it will be interesting to see which types of information technologies crumble and which ones emerge to lead the next generation of computing.
Dominique Levin is executive vice president of strategy at LogLogic. Ms. Levin received an MBA from Harvard Business School and graduated with distinction. She also holds a Cum Laude M.S. degree in industrial engineering from the Delft University of Technology in The Netherlands.