Having recently compiled my notes from Infosecurity Europe 2009, I was fast on the hunt for similarities and differences between the views expressed “across the pond” and those held by the US markets. While there is longstanding acceptance about what constitutes a comprehensive and effective security program across both continents, what really stood out was how different our approaches were.
Here in the US, many client companies we work with have been struggling through a “reconciliation” projects of one stripe or another. By reconciliation, I mean the cross-mapping of multiple regulations and industry best practices to one another as a sort of gap analysis for the controls that are being implemented in the enterprise. This practice has been pervasive for at least 5 years when we first began our Illumination project, (acquired by BindView in 2005, now a part of Symantec’s ITGRC offering) and continues to this day.
We have watched as vendors have not only promoted this problem, but have actively worked to solve it. There has been a sort of Cambrian explosion in the marketplace as vendors have ramped up the number of controls in the libraries of their products. Archer’s acquistion of Brabeion is a perfect example. In the press release, and subsequent media coverage, the addition of Brabeion’s controls library was touted as a key benefit of the deal.This arms race shows little signs of slowing as projects such as the Unified Compliance Framework are starting to show up in RFPs for tools in this space.
One of the things we have realized in our research is that having more controls to choose from is not necessarily better. From the end user’s perspective, having a product with a gigantic library of controls actually makes the problem more difficult, since there now needs to be a long and drawn out process of justifying and rationalizing the vendor’s content against the risk appetite and audit guidance within the organization. Having more controls implemented is also of dubious benefit, especially since it is not actually indicative of due care (what a reasonable person, in similar circumstances would do). This particular problem is the genesis of our latest effort, The Consensus Controls Project , a portal where organizations can anonymously share what controls, regardless of origin framework, that they are actually using.
Contrast this approach to what we saw in the UK. While there were many booths on the expo floor from the US heavyweights in the IT GRC space, and many UK-based start-ups, the attendees didn’t seem to understand GRC as a concept. The term itself was often met with confused looks that ended upon explanation (usually starting with defining the acronym). Nearly every person I talked to, regardless of organization type (public sector, private, publicly traded, etc.) or size, seemed to be focused on ISO and certification. They saw this as a stamp of approval on their security program by an independent outsider and one worthy of pursuing for competitive advantage. When pressed about other control frameworks, such as COBIT, we were quickly dismissed. What these people saw was a need to get back to basics. Considering our long held view that nothing has fundamentally changed in information security in nearly 30 years (except for the underlying technology, the basics still apply), this viewpoint resonated with us.
To sum up, what we found was that the people we talked to in the UK were more focused on picking a framework (in this case ISO’s) and working to be the best that they could be at managing to that framework, as opposed to cobbling together a controls environment from multiple frameworks and working to reconcile it internally.
No related articles.
