SlideShare une entreprise Scribd logo

'But I was compliant.' Investing in Top-Down Security to Build a Compliant Business

Armor
Armor

It’s a story you’ll watch unfold time and time again. The breach. The headlines. The confusion. The public apologies. The finger-pointing. And it’s often followed by some form of the following: “But I was compliant.” Compliance is never enough. The challenges are understandable. Taking the path of least resistance is not. Direct download at: https://www.armor.com/resources/white-papers/but-i-was-compliant/.

Technologie
1  sur  9
@ARMOR | ARMOR.COM | PAGE 1PAGE 1 ‘But I was compliant’ INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 2 Compliance is never enough Businesses face mounting pressures to protect their data. Attacks are increasingly sophisticated and organized, and the stakes are higher. No longer is the typical hack focused on defacing a website; now, attackers are stealing and selling valuable data in exploits that can do more than just embarrass a company — they can destroy it. When there’s a problem, the human response is to seek a solution. So, the consequence of more breaches is more regulations. This is borne out by an increasing number of regulatory agencies issuing their own requirements; creating an extremely complex web of requirements that businesses are not always sure how to address. Many of the rules are not overly detailed because regulatory agencies don’t want to get mired in having to keep up with new threats and technologies. As such, they provide high-level requirements such as, “ensure the confidentiality, integrity and availability of all (fill in the blank) data and protect it against all reasonably anticipated threats.” At the same time, regulations are written, monitored and enforced in different ways by different regulatory agencies, leaving businesses struggling to understand if they’re in compliance. The challenges are understandable. Taking the path of least resistance is not. No matter the confusion. It’s a story you’ll watch unfold time and time again. The breach. The headlines. The confusion. The public apologies. The finger-pointing. And it’s often followed by some form of the following: “But I was compliant.”
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 3 While businesses may not fully understand their compliance requirements, they do understand the impact of regulatory fines and damaged reputations. To prevent those pains, organizations tend to focus on ticking off the boxes of a compliance checklist, assuming that if compliance is met, their data must be safe. But when companies lose sight of the intention behind the regulations — to safeguard sensitive data — and treat compliance itself as the primary objective, gaps are created between their perceived level of security and their actual level of security. They think they’re safe, but they’re not. Consider the number of strong brands that have suffered infamous breaches; most of them had been judged as compliant, but compliance wasn’t enough to prevent attacks that cost millions of dollars and immeasurable damage to their reputations. Since compliance is simply a method to demonstrate how your security program meets a specific set of criteria — at a specific point in time — a better approach is to focus on security first. If your security program is strong, compliance will be addressed. And it will be done so in a way that supports a healthy business instead of draining resources in the pursuit of tick marks on a checklist. “… when companies lose sight of the intention behind the regulations — to safeguard sensitive data — and treat compliance itself as the primary objective, gaps are created between their perceived level of security and their actual level of security.” Compliance does not equal security
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 4 Continuous security & compliance Security and compliance are not static endeavors. You don’t, for example, install a firewall and then never revisit the configuration. Likewise, even though compliance is typically measured once a year, it is supposed to be maintained continuously. Unfortunately, the threat landscape evolves in real time, outpacing updates to regulations and capabilities of security tools. This requires that organizations be constantly vigilant to ensure that their security posture remains strong by keeping their controls current and measuring their compliance on a more frequent basis. A prime example of the many organizations that don’t embrace this approach, a popular U.S.-based home improvement retailer successfully passed compliance assessments but still fell victim to an attack that went undiscovered for six months. If the company had an effective and current security and compliance program, it would have been continuously updating its controls and monitoring its environment. Its network would have more likely remained stay secure while also meeting regulatory requirements. Such was not the case. When a company marks the boxes on its compliance checklist and considers its security activities to be complete, it is not only leaving itself open to the loss of intellectual property and business-critical data, it is also building inefficiencies into its security efforts. A security-first approach is holistic, so everything from the tactical mapping of controls to the strategic planning of its risk management program work in concert. That streamlines security operations, which reduces costs, increases value and produces better results. “A security-first approach is holistic, so everything from the tactical mapping of controls to the strategic planning of its risk management program work in concert.” Security is the horse, compliance is the cart SECURITY COMPLIANCE
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 5 Complete data security Regulatory requirements protect specific types of data. However, companies own more types of data than what are covered by regulations. In fact, a business’s proprietary research, product strategies and other sensitive data may be its most valuable assets. But companies that rely on regulatory checklists to guide their data protection strategies leave a great deal of that valuable information exposed. A security-first approach does not segment data solely according to compliance requirements; it also classifies data according to its sensitivity, location, attractiveness to attackers and other factors. The end result is that all of a company’s data is protected appropriately, including the data subject to regulations. Compliance is met and the enterprise is safeguarded in its entirety. Reduced expense A compliance-first approach leads to the purchase of tools that may or may not be effective in concert with other security efforts. In addition, because there is so much overlap between regulatory standards, companies may make redundant purchases that eat up budget without meaningfully improving security. Running a patchwork of products raises payroll costs as consultants and specialists are hired to research, select, purchase, implement and manage each new tool. But the worst expense a compliance-first approach can create is the expense of a breach, and the cost of a breach is likely to far exceed the amount that a strong security program would have cost in the first place. A security-first approach drives a sensible purchasing strategy. Security investments are no longer a jumble of tools purchased to meet a string of standards in one or more regulatory documents; instead, investments are part of a strategic effort that serves a real-world demand beyond the need to avoid fines. The entire business is protected — not just the areas subject to regulation — and that leads to a greater return on investment. EXPOSED DATA SECURED DATA THROUGH COMPLIANCE REGULATIONS Relying on regulatory checklists to guide data protection strategies leave a great deal of that valuable information exposed.
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 6 Simplified audits For companies using a security-first approach, demonstrating compliance is a reporting exercise rather than a scavenger hunt. The auditor only has to map the existing documentation of the controls to the regulatory requirements and describe how the requirements were met. This allows third-party assessors to validate compliance more quickly and be less disruptive to the organization; resulting in reduced hard and soft audit costs. Streamlined management Managing security in a compliance-first organization shifts authority from those who most need it — the highest level of security personnel in the company — and places it in the hands of the chief compliance officer or the general counsel. Certainly, the compliance executives need to work closely with the security leaders, but security strategies and investments require the specialized knowledge of a CISO, CSO or security director. After all, few compliance executives are likely to have the deep level of technical expertise necessary to ask the right questions of a cloud provider or to select the right hypervisor-based network firewall. In a security-first organization, security managers can keep compliance personnel up to date on purchases and work with them to identify which regulatory requirement is met at the time of purchase. That gives the enterprise a constant and complete understanding of its regulatory status, and audits are no longer a source of disruption and expense. For companies using a security-first approach, demonstrating compliance is a simple reporting exercise
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 7 A checklist is not a defense There is no instance in which a security-first practice is weaker than a regulatory standard; the security-first approach is shaped by the realities of the threat landscape. Since threats are constant, monitoring and mitigation are ongoing activities. A company that only reviews its security posture annually is exposed for the other 11 months to any number of threats, while a security-first company proactively monitors its assets continuously and responds to threats immediately. Since threats are evolving, configuration updates and patches are implemented and managed with diligence in a security-first environment. As new threats arise, the company knows its methods will keep it as secure as possible. A company that waits until an audit is impending before it verifies its network diagram is consistent with firewall configuration standards or that its patch management program is properly documented creates uncertainty. Patches may be installed without being tested first, and that can crash business-critical systems. In the scramble to meet compliance, a business can do more harm than good and still fail in its goal of marking off a line on the checklist. Since threats are complex, third-party software and IT vendors are included in a security-first program; regulated companies that don’t ask for an Attestation of Compliance (AOC) from their vendors and perform the appropriate due diligence are, in effect, spending money to create risk. A security-first approach includes procedures for onboarding and monitoring vendors so the company doesn’t become collateral damage if a vendor is breached.
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 8 Businesses don’t exist for the purpose of achieving compliance; they exist to serve their customers and create value for their shareholders. The best way to achieve those objectives, while still meeting regulatory requirements, is to stay focused on the reason behind the rules: to protect sensitive data. Organizations that look beyond the checklist and take a holistic approach to their security are in the best position to ensure the security of their data and the health of their businesses. This is the key to leveraging security to build a successful and compliant business. Take a holistic approach to security “A security-first approach drives a sensible purchasing strategy. Security investments are no longer a jumble of tools purchased to meet a string of standards in one or more regulatory documents ...” Discover which Armor solution best matches your data workloads with our 30-second online tool. START NOW
INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 9 US 2360 Campbell Creek Boulevard, Suite 525, Richardson, Texas 75082 | Phone: +1 877 262 3473 UK 268 Bath Road, Slough, Berkshire SL1 4AX | Phone: +44 800 500 3167 © ARMOR 2016. All rights reserved. US 2360 Campbell Creek Boulevard, Suite 525, Richardson, Texas 75082 | Phone: +1 877 262 3473 UK 268 Bath Road, Slough, Berkshire SL1 4AX | Phone: +44 800 500 3167 © ARMOR 2016. All rights reserved.

Recommandé

Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Armor
 
Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Armor
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Armor
 
Security Operations in the Cloud
Security Operations in the CloudSecurity Operations in the Cloud
Security Operations in the CloudArmor
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
Keys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudKeys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudArmor
 

Recommandé

Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Armor
 
Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Armor
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Armor
 
Security Operations in the Cloud
Security Operations in the CloudSecurity Operations in the Cloud
Security Operations in the CloudArmor
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
Keys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudKeys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudArmor
 
With FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityWith FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityArmor
 
FireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedFireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedArmor
 
FireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudFireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudArmor
 
Making Sense of Security and Compliance
Making Sense of Security and ComplianceMaking Sense of Security and Compliance
Making Sense of Security and ComplianceArmor
 
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsFirehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsArmor
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
 
Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Armor
 
Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Armor
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactArmor
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Armor
 
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...Armor
 
FireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityFireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityArmor
 
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionFireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionArmor
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best PracticesArmor
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataArmor
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Contenu connexe

Plus de Armor

With FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityWith FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityArmor
 
FireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedFireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedArmor
 
FireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudFireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudArmor
 
Making Sense of Security and Compliance
Making Sense of Security and ComplianceMaking Sense of Security and Compliance
Making Sense of Security and ComplianceArmor
 
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsFirehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsArmor
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
 
Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Armor
 
Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Armor
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactArmor
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Armor
 
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...Armor
 
FireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityFireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityArmor
 
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionFireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionArmor
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best PracticesArmor
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataArmor
 

Plus de Armor (15)

With FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityWith FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & Security
 
FireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedFireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository Deconstructed
 
FireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudFireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the Cloud
 
Making Sense of Security and Compliance
Making Sense of Security and ComplianceMaking Sense of Security and Compliance
Making Sense of Security and Compliance
 
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsFirehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data Envirnment
 
Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is?
 
Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1
 
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
 
FireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityFireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent Security
 
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionFireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best Practices
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your Data
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

'But I was compliant.' Investing in Top-Down Security to Build a Compliant Business

  • 1. @ARMOR | ARMOR.COM | PAGE 1PAGE 1 ‘But I was compliant’ INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS
  • 2. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 2 Compliance is never enough Businesses face mounting pressures to protect their data. Attacks are increasingly sophisticated and organized, and the stakes are higher. No longer is the typical hack focused on defacing a website; now, attackers are stealing and selling valuable data in exploits that can do more than just embarrass a company — they can destroy it. When there’s a problem, the human response is to seek a solution. So, the consequence of more breaches is more regulations. This is borne out by an increasing number of regulatory agencies issuing their own requirements; creating an extremely complex web of requirements that businesses are not always sure how to address. Many of the rules are not overly detailed because regulatory agencies don’t want to get mired in having to keep up with new threats and technologies. As such, they provide high-level requirements such as, “ensure the confidentiality, integrity and availability of all (fill in the blank) data and protect it against all reasonably anticipated threats.” At the same time, regulations are written, monitored and enforced in different ways by different regulatory agencies, leaving businesses struggling to understand if they’re in compliance. The challenges are understandable. Taking the path of least resistance is not. No matter the confusion. It’s a story you’ll watch unfold time and time again. The breach. The headlines. The confusion. The public apologies. The finger-pointing. And it’s often followed by some form of the following: “But I was compliant.”
  • 3. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 3 While businesses may not fully understand their compliance requirements, they do understand the impact of regulatory fines and damaged reputations. To prevent those pains, organizations tend to focus on ticking off the boxes of a compliance checklist, assuming that if compliance is met, their data must be safe. But when companies lose sight of the intention behind the regulations — to safeguard sensitive data — and treat compliance itself as the primary objective, gaps are created between their perceived level of security and their actual level of security. They think they’re safe, but they’re not. Consider the number of strong brands that have suffered infamous breaches; most of them had been judged as compliant, but compliance wasn’t enough to prevent attacks that cost millions of dollars and immeasurable damage to their reputations. Since compliance is simply a method to demonstrate how your security program meets a specific set of criteria — at a specific point in time — a better approach is to focus on security first. If your security program is strong, compliance will be addressed. And it will be done so in a way that supports a healthy business instead of draining resources in the pursuit of tick marks on a checklist. “… when companies lose sight of the intention behind the regulations — to safeguard sensitive data — and treat compliance itself as the primary objective, gaps are created between their perceived level of security and their actual level of security.” Compliance does not equal security
  • 4. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 4 Continuous security & compliance Security and compliance are not static endeavors. You don’t, for example, install a firewall and then never revisit the configuration. Likewise, even though compliance is typically measured once a year, it is supposed to be maintained continuously. Unfortunately, the threat landscape evolves in real time, outpacing updates to regulations and capabilities of security tools. This requires that organizations be constantly vigilant to ensure that their security posture remains strong by keeping their controls current and measuring their compliance on a more frequent basis. A prime example of the many organizations that don’t embrace this approach, a popular U.S.-based home improvement retailer successfully passed compliance assessments but still fell victim to an attack that went undiscovered for six months. If the company had an effective and current security and compliance program, it would have been continuously updating its controls and monitoring its environment. Its network would have more likely remained stay secure while also meeting regulatory requirements. Such was not the case. When a company marks the boxes on its compliance checklist and considers its security activities to be complete, it is not only leaving itself open to the loss of intellectual property and business-critical data, it is also building inefficiencies into its security efforts. A security-first approach is holistic, so everything from the tactical mapping of controls to the strategic planning of its risk management program work in concert. That streamlines security operations, which reduces costs, increases value and produces better results. “A security-first approach is holistic, so everything from the tactical mapping of controls to the strategic planning of its risk management program work in concert.” Security is the horse, compliance is the cart SECURITY COMPLIANCE
  • 5. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 5 Complete data security Regulatory requirements protect specific types of data. However, companies own more types of data than what are covered by regulations. In fact, a business’s proprietary research, product strategies and other sensitive data may be its most valuable assets. But companies that rely on regulatory checklists to guide their data protection strategies leave a great deal of that valuable information exposed. A security-first approach does not segment data solely according to compliance requirements; it also classifies data according to its sensitivity, location, attractiveness to attackers and other factors. The end result is that all of a company’s data is protected appropriately, including the data subject to regulations. Compliance is met and the enterprise is safeguarded in its entirety. Reduced expense A compliance-first approach leads to the purchase of tools that may or may not be effective in concert with other security efforts. In addition, because there is so much overlap between regulatory standards, companies may make redundant purchases that eat up budget without meaningfully improving security. Running a patchwork of products raises payroll costs as consultants and specialists are hired to research, select, purchase, implement and manage each new tool. But the worst expense a compliance-first approach can create is the expense of a breach, and the cost of a breach is likely to far exceed the amount that a strong security program would have cost in the first place. A security-first approach drives a sensible purchasing strategy. Security investments are no longer a jumble of tools purchased to meet a string of standards in one or more regulatory documents; instead, investments are part of a strategic effort that serves a real-world demand beyond the need to avoid fines. The entire business is protected — not just the areas subject to regulation — and that leads to a greater return on investment. EXPOSED DATA SECURED DATA THROUGH COMPLIANCE REGULATIONS Relying on regulatory checklists to guide data protection strategies leave a great deal of that valuable information exposed.
  • 6. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 6 Simplified audits For companies using a security-first approach, demonstrating compliance is a reporting exercise rather than a scavenger hunt. The auditor only has to map the existing documentation of the controls to the regulatory requirements and describe how the requirements were met. This allows third-party assessors to validate compliance more quickly and be less disruptive to the organization; resulting in reduced hard and soft audit costs. Streamlined management Managing security in a compliance-first organization shifts authority from those who most need it — the highest level of security personnel in the company — and places it in the hands of the chief compliance officer or the general counsel. Certainly, the compliance executives need to work closely with the security leaders, but security strategies and investments require the specialized knowledge of a CISO, CSO or security director. After all, few compliance executives are likely to have the deep level of technical expertise necessary to ask the right questions of a cloud provider or to select the right hypervisor-based network firewall. In a security-first organization, security managers can keep compliance personnel up to date on purchases and work with them to identify which regulatory requirement is met at the time of purchase. That gives the enterprise a constant and complete understanding of its regulatory status, and audits are no longer a source of disruption and expense. For companies using a security-first approach, demonstrating compliance is a simple reporting exercise
  • 7. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 7 A checklist is not a defense There is no instance in which a security-first practice is weaker than a regulatory standard; the security-first approach is shaped by the realities of the threat landscape. Since threats are constant, monitoring and mitigation are ongoing activities. A company that only reviews its security posture annually is exposed for the other 11 months to any number of threats, while a security-first company proactively monitors its assets continuously and responds to threats immediately. Since threats are evolving, configuration updates and patches are implemented and managed with diligence in a security-first environment. As new threats arise, the company knows its methods will keep it as secure as possible. A company that waits until an audit is impending before it verifies its network diagram is consistent with firewall configuration standards or that its patch management program is properly documented creates uncertainty. Patches may be installed without being tested first, and that can crash business-critical systems. In the scramble to meet compliance, a business can do more harm than good and still fail in its goal of marking off a line on the checklist. Since threats are complex, third-party software and IT vendors are included in a security-first program; regulated companies that don’t ask for an Attestation of Compliance (AOC) from their vendors and perform the appropriate due diligence are, in effect, spending money to create risk. A security-first approach includes procedures for onboarding and monitoring vendors so the company doesn’t become collateral damage if a vendor is breached.
  • 8. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 8 Businesses don’t exist for the purpose of achieving compliance; they exist to serve their customers and create value for their shareholders. The best way to achieve those objectives, while still meeting regulatory requirements, is to stay focused on the reason behind the rules: to protect sensitive data. Organizations that look beyond the checklist and take a holistic approach to their security are in the best position to ensure the security of their data and the health of their businesses. This is the key to leveraging security to build a successful and compliant business. Take a holistic approach to security “A security-first approach drives a sensible purchasing strategy. Security investments are no longer a jumble of tools purchased to meet a string of standards in one or more regulatory documents ...” Discover which Armor solution best matches your data workloads with our 30-second online tool. START NOW
  • 9. INVESTING IN TOP-DOWN SECURITY TO BUILD A COMPLIANT BUSINESS @ARMOR | ARMOR.COM | PAGE 9 US 2360 Campbell Creek Boulevard, Suite 525, Richardson, Texas 75082 | Phone: +1 877 262 3473 UK 268 Bath Road, Slough, Berkshire SL1 4AX | Phone: +44 800 500 3167 © ARMOR 2016. All rights reserved. US 2360 Campbell Creek Boulevard, Suite 525, Richardson, Texas 75082 | Phone: +1 877 262 3473 UK 268 Bath Road, Slough, Berkshire SL1 4AX | Phone: +44 800 500 3167 © ARMOR 2016. All rights reserved.