Beyond compliance: Why we need to move past tick-box security

Hands up: who has ever deployed IT security products purely to meet compliance regulations rather than to increase security? According to a survey carried out at RSA Conference this year, over 61% of attendees admitted that they had.

It's easy to assume that compliance equates to better security. But here's the thing – in truth, there is not one single security product on the market today that is designed to be dropped into an organisation and then rolled out nicely in the background to keep the organisation 100% secure.

The industry is getting good. But not that good. The fact is, security products need a little love and attention in order for organisations to get the maximum security potential. And some more than others.

> See also: PCI DSS: what's the right compliance path for your business?

It's worrying to see figures that show nearly 70% of organisations don't believe they are getting the most from their security products because they think they are either too complicated, too time consuming or they don't believe they have the right expertise. And out of these folks, over 70% confess to knowing that because they don't use their security products to potential, it puts their organisations at risk.

While admittedly there is much work to be done in our industry on the product, support and maintenance side, here are some tips organisations can use now to decrease their risk and get the most from their security products.

Choose wisely

Ok, so this may not apply to those who have already implemented security products, but may help when it comes to reviewing them. Too many companies get sucked in by the biggest brand names in security with little consideration for their actual organisational needs.

By asking simple questions at the start, you can narrow down the right IT security product(s) for your organisation. More importantly, you can avoid excess spending and wasted time.

Do you have existing IT security expertise? Will you need to hire someone? Maybe you can deploy the product in house or will a managed service make more sense What is the support like? Does the manufacturer or reseller offer training? How responsive is the supplier to your communications? If the vendor isn’t great at the start when trying to make the sale, then there's no hope when it comes to support later.

Train and maintain

Whether the security product is sold directly from the manufacturer or through other channels, there should be training available. From online tutorials to in-person tutelage, put a significant amount of time into learning the product at least at the start, and then smaller amounts of time monthly or quarterly to review.

After all, if you're not using the IT security product correctly, you might as well not have it at all. 16% of survey respondents said that what prevented them from using their security products to their full potential was that they were too time consuming. Without a doubt, in the long run, carving out time to learn about the product properly will ultimately save you time. Just do it.

Compliance is important, but it doesn't stop there

Repeat after me: 'no compliance for compliance sake.' Regulatory compliance is crucial to businesses, there is no argument there. And yes, it is true that the main driver for a lot of businesses when searching for security products, whether they care to admit it or not, is compliance.

But it can't just stop there. Tick-box security has proven time and time again to not be effective enough; and if you don't believe it, ask the over 1,500 companies that were breached in 2014. At one point, each of these companies may have been compliant, even at the time of the breach.

The goal should be continuous compliance, not merely compliance as a one-time event. And there are products that make compliance easier to maintain than others, so doing homework in this area is important as well.

> See also: Six ways email security can aid compliance

While it is positive that companies are thinking more and more about things like compliance and taking steps to achieve it, more emphasis needs to be placed on the security aspect. It's no good thinking you've bought a 'plug and play' IT security product that will ultimately fail because it hasn't been implemented and maintained correctly.

It is worth every penny and minute that goes into choosing and maintaining the right security product if it means saving the company the devastation of a data breach. After all, it is extremely rare to find headlines that blame a security product for a data breach. It nearly always comes down to the breached organisation's name being dragged through the mud.

Sourced from Chris Stoneff, VP technical management, Lieberman Software Corporation

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Compliance
Risk Assessment