You may have seen this diagram before, and it's meant to be both entertaining and instructive. It is obvious to all of us that if your organization's focus is to "be compliant", the goal of being truly secure is never going to be reached.
Look at the recent data breaches a Target, Neiman-Marcus and the rest, which tells the story to a degree.
There is this thing called a "false sense of security", being compliant does not equal being secure. To bridge this crack (or gap) between compliance and security you need to have some flexibility and tools in place to make all the pieces of the puzzle come together.
We all know that ultimately it's the "3 P's" that are the achilles' heel of IT security: People, Policy and Procedure. If you have a good grasp on all three P's, you are a hard target that the hackers may pass by because it's just not paying off for them time-wise.
Let's take the PCI DSS standard as an example. Sure it reduces risk, but does it make you secure? Nope, and it's because PCI is very rigid and not flexible enough to be adjusted to your organization's real security requirements. If you want your infosec program to be effective, you need a framework that allows you to assess your own risk and adjust based on your security requirements.
Looking from the top down, IT security risk is part of the bigger risk picture which includes customer risks, shareholder risks, exchange rate risks, market risks and many more. Additionally, risk is not black and white, it starts with black and rises through 50 shades of gray to white. Executives make reasonable decisions based on a real-time risk/reward equation based on the best data that they can get. As a matter of fact, Western case law is built on this "reasonable person" standard.
How does this apply to IT security? Has your organization done what any other reasonable person would do to protect their infrastructure? You may not be aware that data breach class-action lawsuits are the legal profession's biggest "growth market". Recent court decisions show that just being PCI compliant and leave it at that is not cutting it. The judge wants to know if what you have done is reasonable, compared to your industry.
So how do you bridge the gap between PCI compliance and IT security?
PCI has two compliance sections: technology controls and administrative controls. Everyone that takes credit cards is required to have these controls in place, so there is no choice but to comply. However, how about streamlining the process so that a minimum amount of time is taken away by audits so that you can focus on the real nitty gritty of IT security?
Here’s a new way to manage this problem.
Like stated above, compliance is mainly a matter of “people and processes” and tools come second. But what if you could deploy a tool that would automate your people and processes problem? Up to now, these tools were only affordable for the Fortune 500, but KnowBe4 has developed KCM as Software as a Service. KCM consolidates your audit management and regulatory compliance tasks into simple automated workflows which prevent overlap and eliminate gaps. "By admins for admins", whether you are responsible for PCI in a 50-user site, or an MSP managing dozens of companies and thousands of seats.
KCM introduces an abstraction layer that dramatically reduces duplicate efforts. Some immediate benefits you can realize by deploying KCM are:
- Consolidate multiple regulatory requirements into one list with KnowBe4′s proprietary Controls Reduction Engine (CRE)™
- Elimination of duplicate efforts (saves time, saves money)
- Compliance Calendar keeps you on the path to maintaining compliance through automated alerts
- One centralized interface for managing multiple areas
- Fast setup using PCI-DSS, HIPAA, GLBA and other Compliance Templates
- Follows the DRI (Directly Responsible Individual) methodology of assigning specific people to audit tasks
- The Audit Evidence Vault™ provides a safe and secure way of storing and accessing policy/procedure documentation and audit evidence files
- You can create custom compliance templates that allow you to track compliance with any standard or regulation such as OSHA, SSAE-16 SOC, FISMA, or State specific guidance.
Sign up for a web-demo here and find out if this tool will be a good fit for your environment: