Future-Proof Your Compliance Program
TOM FIELD: Hi. I’m Tom Field with Information Security Media Group and today I’m talking with Elan Winkler, Director of Messaging Product Marketing at Secure Computing Corporation. We’re talking about how to future proof your compliance program. Elan, thanks for joining me today.
ELAN WINKLER: Oh, thanks very much Tom. We appreciate your participation in this and look forward to the conversation.
FIELD: Elan, what do you mean when you talk about “future proofing� What’s the alternative to that?
WINKLER: “Future proofing†is all about creating an infrastructure within your company that allows you to simultaneously comply with all the regulations and corporate governance rules that you are subject to. For example, as a financial institution you are a public company so you are subject to SOX . You also offer health care benefits so you are subject to HIPPA. Obviously, in financial GLBA’s specifically designed for you and because you are dealing with credit cards, you are also subject to PCI. That is over and above what you as an individual company needs to do in order to protect your corporate assets and comply with what the board of directors is requiring. So, all those things are happening simultaneously. “Future proofing†is all about putting together an infrastructure that allows you to simultaneously deal with all of these things coming at you in a way that is comprehensive and manageable.
FIELD: So, what is the business value of “future proofing� What results have you seen among your customers?
WINKLER: The business values are pretty straight forward. For one thing you get to do it once and then use it multiple times. It also enables you to be ready for the next time a regulator in Washington or the EEU or Australia or any where ele around the world that you might do business has a good idea and decides that there is a particular type of data, another piece of information that you control that needs to be regulated. So, when you can do this, it means that you are being much more efficient, it means you are able to comply with new things down the road a lot faster. As far as results that we have seen from our customers, what it really means is it gets you into the efficiencies of doing these projects. If you take a look at just complying with HIPPA as an individual project, and then worry about how you are going to comply with SOX, and then worry about how you are going to comply with PCI, you are doomed to fail. If you look at compliance as an individual project it ain’t going to work; bottom line. What you need is a complete infrastructure that enables the right levels of security processes and procedures to protect the data that is being required by that particular regulation approximately. And the best success we have seen among our customers is when they look at it as a whole and worry about the entire area of compliance rather than just this point project.
FIELD: Elan, let me ask you about that complete infrastructure you talked about. What are the necessary ingredients, the technologies, capabilities, etc. for “future proofing�
WINKLER: Well, the first ingredient really needs to be a good plan. I mean, if you don’t have a plan that is comprehensive, then again you know you might as well go home. So, the plan needs to understand each one of the things that you need to worry about. Is it SOX, is it HIPPA, is it PCI, etc.? You need to understand what is common those things and what the differences are so you can account for them all. Then you really need to understand what the priorities are. If you are a Level I Merchant for PCI, you’ve got deadlines that are looming really, really fast. HIPPA might not be as high priority. You may be a small institution. So, you need to understand the timing of these things and make sure that your plan accommodates all of those appropriately. It is not going to help to be PCI compliant if you get put in jail for HIPPA violations. Once you have a really good plan, then you need to start looking for partners to help you with this. On the technology side, we really recommend looking for a strong, stable partner that has been around for a while, and you have the confidence he’s going to be there for a while to come. After all, compliance isn’t something you are going to do today and then disband six months from now. You are going to have to worry about compliance for years and years and years to come. So, a strong partner that has got the depth of experience and the breadth of knowledge to help you is really important. We also recommend that you look at a company that has a strong security orientation, because remember all of these regulations all involve securing data. So, working with somebody who does not have a strong security orientation is really going to do you a disservice. And the third thing that we recommend in looking for a partner is you want to work with as few vendors as possible. You really want a partnership out to this, because it is a long term relationship. So, a company that has a broad range of solutions that can fit in seamlessly to your infrastructure and work with you on a continuing basis, I think is really critical.
FIELD: So, based on observations that you have made at companies you’ve dealt with, what speed bumps should people expect to hit along the way?
WINKLER: There are many and varied, Tom. Some of the things that we have seen people fall apart on are changing priorities. You know, most of us work for larger public companies, and we are all subject for the whim of the quarter and what Wall Street is expecting for us. These are not the type of projects, not the type of infrastructure changes that need to happen that can be subject to those kinds of whims. These are long term plans that need to put in place. That is sometimes where people fall apart. The other area that really needs a lot of attention is executive support and sponsorship. It doesn't help for people that manage on director levels to put together these plans and then not have the executive support it. What we are really talking about, Tom, in “future proofing†is creating this culture of compliance that permeates the entire business. Every single employee’s responsibility is to compliance. They need to understand that they need to be able to adopt into the way they do business. Hopefully, a seamlessly and unobtrusively as possible, but it des need to be part and parcel of how they work and if the executives don’t buy into that, goodness knows the employees won’t either.
FIELD: Okay. Executives, all of us we all want to see early successes in a program like this. What are some of those signs that somebody should look for?
WINKLER: Again, the signs vary depending on the account and what you are looking to accomplish. I think the best sign is when you take a look at how you put together a particular process or procedure and then run different types of data against it. SOX, for example, has to deal with corporate financial data, HIPPA deals with health care data, PCI with credit card data. If you can take the same process and procedure and adequately protect all of those three different types of data without having to make major modifications, then I think that is a really good sign of early success.
FIELD: Okay. Now we talked about regulator compliance and the regulations that people have to comply with today. How does “future proofing†help prepare the institution for upcoming regulatory requirements?
WINKLER: That is what it is all about. That is where the big win is. If you can put together a culture of compliance, this infrastructure that allows you to protect your people, your data and your technologies then anything that comes down the pipe will fit into that framework. The culture of compliance is all about creating a way of operating that automatically provides security for sensitive data. So, it doesn't matter if next year, next month, next quarter some bright politician in Washington decides that instead of just protecting x amount of data there is a new type of thing that needs to be protected. If you created a culture of compliance, if you have been able to future proof your infrastructure then it doesn't matter what those regulators will come out with, you will be able to fit that in seamlessly and very quickly and very easily saving a whole lot of time and a whole bunch of money.
FIELD: Let me ask you about this; you said it a couple of times now. This “culture of complianceâ€; what does that really mean in the context of “future proofingâ€?
WINKLER:It gets into the whole concept that compliance is the in the project. If you look at it as individual projects, you are doomed to fail. But, it the company embraces this idea that compliance is what we are all about, we are about securing data, we’re about making sure that the information that is entrusted to us as a financial institution or as any other business is handled approximately, is treated with the sensitivity that it deserves and requires, then we’ve created an environment where “future proofing†is possible.
FIELD: Now, based on other’s experiences, if there were one piece of advice you would offer to a financial institution regarding “future proofingâ€, what would that be?
WINKLER: One piece of advice? Boy, that is tough because there is so much involved in this. I think having a good plan, knowing what it is that you need to accomplish and then having the right partners. If you have partners as I’ve mentioned that have a strong security orientation that have a strong level of technology that will enable you to do this as seamlessly as possible. I mentioned a couple minutes ago and I just want to stress this point as well; the individual employees within a company have a job to do and while you need to create a culture of compliance, security is not every individual employee’s primary job. Their job is to contribute to the profitability of the company and to the success of the company’s customers. So, as IT professionals, as compliance professionals the more we can put in place that enable compliance without major impacts to how an employee does a particular job, the more successful we are likely to be.
FIELD: Well said. I want to thank you, Elan, for your time and your insights today.
WINKLER: Oh, it was a pleasure talking to you Tom.,
FIELD: And for Information Security Media Group and for Secure Computing Corporation, I am Tom Field. Thank you for listening.