Chicken, Egg or Omelette?
Just how distinct are security and compliance from each other?
Let us be honest, you do not refuse to drive 110mph on the motorway just because you have a fear of crashing; that consideration does not register anywhere near as highly as being pulled over, fined £500 and having nine points put on your license. In the same way, it’s not just fear that drives customers to seek protection for their applications and networks. Yes, they demand solutions that keep any bad stuff out and all the good stuff in, but what are they really concerned by? I would be inclined to wager that the desire to meet regulatory compliance is at least as strong as the need for security.
It is time more resellers understood that achieving IT security accomplishes little more than personal satisfaction for your clients if they cannot prove it to their external auditors. Trends have turned 180 degrees. It’s as if compliance earns more brownie points that IT security. An IT manager that achieves his 1000th successive day of suffering no intrusions will hardly be thrown a tickertape parade on his way out of the office. But if his actions put a tick in the right box on a compliance matter, then the chief executive might become his personal friend, take him out to lunch, laugh at his jokes…
Security and compliance are completely distinct, or are they? If security is the driver, then compliance will end up rearing its head. On the flipside, if compliance auditing seeks visibility and ends up highlighting a lack of security control then – hey presto - a security project with an available budget and an urgent timescale will likely arise. Is this one of those ‘chicken and egg’ situations, or could it be an omelette?
Now that compliance and security seem inexorably linked, the benefits of one solution over another are no longer just how much it can save your customers’ time, and your customers’ money. Now it’s about saving your customers’ neck.
The real question is, how can security and compliance work together without processes and resources being replicated? Since separation of duties and audit independence are also important issues, when should they be kept apart?
Resellers need to demystify the convergence of security and compliance, and explore winning strategies that will enable them capitalise on a market worth hundreds of millions of pounds. Every vendor touts a wordy datasheet or two about the role their technology plays in meeting PCI, Basel II and MiFiD etc., though little of it makes this challenge any easier. Instead, what will be critical to resellers are solutions that address security and compliance on a unified front and that simplify the issue in the minds of customers, whatever their priorities.
Jonathan Mepsted is managing director EMEA at Imperva