A letter to the CBR editor from Rob Warmack at Tripwire:
Most organisations still view compliance as an annual or quarterly project; an exercise to perform the minimum requirements to pass the audit. The end-goal of each project is on ticking the box marked "compliance" rather than to improve security and ensure the safeguard of valuable corporate assets — including brand reputation.
The result of this "tick box" attitude is a massive increase in pre-audit effort, with staff distracted from key business facing initiatives to gather reports and respond to deficiencies. Once the tick is achieved, staff slide back to their original tasks, and the company slides straight back out of compliance, until the next time.
What is required is a continuous approach to security and compliance, supported by way of automating the detection of suspicious events and changes that may lead to data compromise and, when needed, the rapid response to these changes to bring the organisation back into a secure and compliant state.
With this continuous approach organisations can move away from the expensive, inefficient peaks of audit activity. A compliant state is attained and then sustained through the ability to proactively fix vulnerabilities caused by a failed patch or seemingly harmless administrative change or to quickly react and defend systems from a live attack.
The goal, therefore, should not be about merely achieving compliance; but creating a culture of continuous security. Compliance will then be achieved more easily and with less costs, and organisations can raise security up from the base of regulatory compliance to a standard that truly reflects today’s level of corporate threat.
55 Old Broad Street