Cost-Effectively Dealing with the Growing Security Compliance Issue
In these IT cost-conscious times, most budgets – yes, even in the IT security department – are always under review, and usually in a downward direction. At the same time – and just to make life interesting - the volume of regulatory and compliance requirements are heading in the opposite direction. This makes the task of a hard-pressed IT security admin or manager all the more difficult, especially given the disparate operating systems and networking environments we all have to deal with on a regular basis. And whilst dealing with heterogeneous networking and IT environments - in fact - is now an integral part of the modern IT security function, one unfortunate fact of life is that meeting the needs of a rising tide of security compliance needs can prove to be an expensive option.
And it’s all about the audit process – right?
Perhaps not. Most audit processes in the world of IT security rarely go far beyond their green pen `tick and check’ limitations, mainly because of the labour-intensive aspect of customised security audits. In an ideal world, of course, IT audit testing procedures would be both automated (to save money on the labour involved) and highly flexible, covering most aspects of testing – including targeted, external, internal, blind and double-blind testing.
External testing, in case you were wondering, targets a company's externally visible servers or devices including domain name servers, email servers, Web servers and firewalls, with the objective being to discover if an outside attacker can get in and how far they can get in once they've gained access. Blind testing, meanwhile, simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Double blind testing takes the blind testing process and carries it a step further, with only one or two people within the organisation being aware that a test is being conducted. Blind and double blind testing - desirable though they may be – can prove to be an expensive option, largely owing to the relatively high cost of the human labour that is required. IT-based testing – sometimes called automated testing – is considerably cheaper, as the costs tend to be fixed, meaning that - no matter how much the facility is used - there are usually no appreciable extra costs.
Human labour costs, on the other hand, tend to be classed as fixed and marginal, with the marginal cost element rising the more you use the facility.
Small wonder then, that hard-pressed IT security professionals are constrained by the fixed and marginal cost issues that our accountancy colleagues often discuss with their peers in other departments – including IT operations. Unfortunately for us all, the cost of compliance – and I’m talking here about the best practice rules imposed by the likes of PCI DSS, Sarbanes-Oxley and Basel II – is rising and, because of the need for flexible reporting, can easily get out of hand if more human labour than is planned is actually required.