By George V. Hulme, Techweb

When it to comes to keeping information secure and business technology systems within regulatory compliance, there's no standing still. Just a few years ago, the burden of managing IT security and privacy fell squarely on the shoulders of security managers and chief information security officers. The primary tools and tactics of their trade were defensive technologies, such as firewalls, intrusion detection/prevention systems, and anti-malware, while the readiness to withstand an attack was tested by security assessments and penetration tests.

No more.

While all those defenses remain crucial to maintaining security, privacy of customer information, and managing aspects of regulatory compliance, they're no longer enough.

Today, the importance of security, privacy, and regulatory compliance has moved to the boardroom, mainly because of the ever-growing list of industry and government regulations. For the past decade, beginning with European directives regarding private data, the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, compliance has gotten more complex. More recent additions include: Sarbanes-Oxley, California's Data Breach Disclosure Laws, the Payment Card Industry Data Security Standard for merchants, and regulations being added to new geographic regions, such as Japan's Financial Instruments and Exchange Law, commonly referred to as J-SOX.

With such a breathtaking pace of new regulations and mandates, it should be no surprise that, according to the 2008 InformationWeek Strategic Security Study, most organizations (63 percent), must comply with one or more government or industry regulations, many of them vaguely worded and offering little guidance on how to translate requirements into technology.

Managing all of these regulations, in addition to the basics of securing business technology systems, has proven complicated and costly-especially for publicly traded companies and multinational businesses. Consider estimates from market watcher AMR Research that U.S. businesses spent about $30 billion on governance, risk, and compliance (GRC) efforts in 2007, about a 9 percent increase from the previous year. In fact, U.S. businesses spent $6 billion just to comply with Sarbanes-Oxley.

Those costs include not only technology investments and software purchases but, perhaps more importantly, the labor and duplicative efforts often in place to secure systems and prove compliance. "You can have workers from internal audit, IT security, and the application or infrastructure teams all conducting assessments on the same sets of systems," says Richard Ptak, principal analyst at industry watcher Ptak, Noel & Associates. "Internal controls and systems are being evaluated multiple times, causing a significant amount of redundant work."

Those ballooning costs are causing many CIOs to seek a more holistic, or systemic, approach to risk and compliance. They need to better manage all of the various areas of corporate risk-including regulatory, IT security, and ensuring that business technology investments are aligned with business objectives. Unifying the people, policies, processes, and technologies into a single GRC initiative should finally let CIOs manage their IT risk efficiently and effectively.

Cutting Through Complexity

The goal sounds straightforward, but one of the primary challenges of good governance and risk management is the fact that many companies store information about corporate policy, risk, and compliance in literally hundreds, if not thousands, of documents and spreadsheets. These ineffective practices worsen when multiple teams-security, network, applications, internal audit-each review and report on identical systems and controls.

Clearly, IT security and compliance management has to be simplified. For example, consider the cost of managing multiple password policies throughout a company, with differing edicts coming from internal security teams and external regulations. Melding password policies-such as length and reset time periods-into a single policy that meets the requirements for each will save costs and reduce complexity. "By governing policies in this way, companies don't have to reinvent password guidelines every time, and the efforts can be managed as a best practice throughout the entire enterprise," says Dennis Chesley, principal at consultancy PricewaterhouseCoopers.

Not every business is equally motivated, of course, and the maturity of an organization's GRC efforts run the gamut, says Christopher Hoff, chief security architect for IT services and software provider, Unisys "Those that are not heavily regulated, or have a high tolerance to risk, may not be very far along in any risk management or governance efforts.

Organizations with minimal intellectual property, or information about customers, or that just want to make certain their systems are adequately secure and available, often have elemental security procedures in place. "These are the companies that make reasonable efforts to scan their networks and applications for vulnerabilities and then patch at-risk systems-and have security applications deployed to varying degrees," Hoff says.

On the other hand, those companies that are high-risk targets, and also must comply with multiple regulations, such as a publicly traded health-care provider, are striving to adopt a GRC approach to security, compliance, and privacy. They want to get better at adopting their security and regulatory compliance mitigating controls, and capturing the information necessary to streamline controls, into many parts of the company," says Chesley.

"The problem with a straightforward threat and vulnerability focus is that businesses aren't always able to focus on the threats and risks that matter the most. They don't have transparency to see which vulnerabilities could lead to the greatest negative business impact," says Hoff. Essentially, they'll simply conduct a vulnerability assessment and patch the most critically ranked software vulnerabilities first. "But what if you have intermediate level vulnerabilities on your database servers and the critical risks are on your print servers? If you have good risk-management controls in place, and have properly classified your infrastructure, you're going to patch those intermediate vulnerabilities first," says Hoff.

PricewaterhouseCooper's Chesley works with clients to define their risk-tolerance and their alignment with the business. "Typically, there are multiple groups reporting on the same controls, and their results often don't reconcile," he says.

But all of the blame can't be placed on businesses. The number of controls a large corporation must manage can be extremely high, and they often extend to every technology deployed. These include identity and access management, security-event managers, and disaster recovery and records-management systems. "There's hardly an area of IT that GRC efforts don't touch," says Ptak.

Unisys's Hoff says it's also crucial to identify what aspects of the infrastructure are most important from a business perspective. That is, what databases, servers, and network segments manage and hold regulated or key business information. "The challenge is doing that not once, or once in awhile, but on a continuous basis," he says.

Many companies are good at some aspects of risk management, but aren't always consistent throughout the business. "It's important to align risk management with business objectives to enable rationalized decision-making processes," says Hoff.

IT vendors-including suppliers of network and system management software, enterprise resource planning providers, and even dedicated IT GRC vendors-offer some good solutions. Many are developing a broad range of GRC management tools to help CIOs model their controls and procedures, associate those controls with relevant policies and regulations, and enforce compliance across the organization. In this way, companies can improve their visibility into compliance risks and gather the supporting evidence they need to demonstrate compliance with policies and external regulations during audits.

These solutions help compliance managers proactively analyze and report rapidly on multiple regulations and policies, explains analyst Ptak. Also, comprehensive analyses help managers quickly understand their risk profiles, so they can streamline their governance efforts and cut redundant processes.

The End Game: Savings, Efficiencies

While technology certainly will help cut the costs of risk and compliance, it's often not where the compliance process starts. Rather, the first step involves quantifying the organization's level of risk tolerance. Next comes putting in place governance policies based on those tolerances and priorities. Only then is it time to build the underlying technological controls to help the organization enforce those polices. Once in place, these defensive procedures will show considerable cost savings, primarily from the process automation. Then, the offensive game can begin.