Merely complying is not enough

Steer customers beyond a fixed view of compliance and annual audits, says Mehlam Shakir

For many businesses, it is a necessity that they comply with regulations such as PCI DSS, GPG13 or CoCo. However, there are more and more organisations simply thinking about what needs to be achieved to reach that compliance.

In my view, this undermines and negates the security measures that should be in place as a first port of call.

And this means that more businesses are finding themselves at risk because basic security measures are either not in place or not up-to-date.

When employees leave, and new hires and clients are brought in, an annual audit can quickly be outdated. The annual audit mentality, which focuses narrowly on simply avoiding fines, means companies are all too easily falling out of compliance.

This has led to many data breaches, and businesses have subsequently been found to be non-compliant with various regulations.

This is just not good enough. We need all businesses to review their security procedures to ensure customer data is secure.

Businesses need to think about ensuring they have continuous compliance. They must focus not only on basic security requirements, but on building a robust security infrastructure.

Security Information and Event Management (SIEM) software that monitors data use in real-time is one way that customers can achieve continuous compliance and have a robust security suite at the same time.

Because you have the opportunity to achieve both security and compliance if you focus on security.

However, it is likely that you will fail at both tasks if you focus merely on compliance.

Mehlam Shakir is chief technology officer at NitroSecurity