Mere deadline compliance is not enough

Rob Warmack says VARs could help customer organisations attain a more continuous and useful compliance status

Most organisations still view compliance as an annual or quarterly project; an exercise to perform the minimum requirements to pass the audit.

The goal of each project is focused on ticking the box marked "compliance" rather than improving security and ensuring valuable corporate assets - including but not limited to brand reputation - are safeguarded.

The result of this tick-box attitude is a massive increase in pre-audit effort, with staff distracted from key business-facing initiatives to gather reports and respond to deficiencies.

Once that tick is achieved, staff simply turn back to their original tasks, and the company slides straight back out of compliance. Until the next time.

A continuous, ongoing approach to security and compliance is required, supported by a way of automating the detection of suspicious events and changes that may lead to data compromise and, when needed, the rapid response to these changes.

This should bring back and maintain the organisation in a secure and compliant state.

With this more continuous approach, organisations that are customers of the IT channel can move away from having those expensive, inefficient peaks of audit activity.

A compliant state is attained and then sustained through the ability to fix vulnerabilities caused by a failed patch or seemingly harmless administrative change, or to react quickly and defend systems from a live attack.

The goal, therefore, should not be about merely achieving compliance, but creating a culture of continuous security.

Compliance will then be achieved more easily and for less cost, and organisations can raise their security from the base of regulatory compliance to a standard that truly reflects today's levels of corporate threat.

Food for channel thought?

Rob Warmack is EMEA director at Tripwire