Compliance has become a dirty word no one wants to utter when planning for IT security management initiatives, but it needs to be part of any security conversation.
Many organizations are required to meet compliance regulations, and the numbers are only growing, fueled by constantly evolving legislation that creates new rules, requirements and auditing procedures. With the growth of regulations, more and more businesses will feel the burden of compliance, while those already impacted will undoubtedly have more rules levied against them.
The funny thing here though is that most compliance requirements are seen by businesses as an unnecessary burden that was legislated into existence to protect external entities. However, properly enforced compliance policies can protect organizations from a myriad of problems - ranging from security breaches to lawsuits to corporate espionage, an irony appreciated by very few.
Simply put, enforcing compliance rules makes good business sense and compliance has a symbiotic relationship with the procedures and requirements dictated by computer security. On another level, compliance, like security, is all about managing risk - where the risk associated with compliance failures can include financial impact (fines), data loss (intrusions), lost business (customer impacts), or even a suspension of operations. The risks associated with a failure to properly secure IT are very similar, if not duplicated, as compared to compliance risks. The only major difference is that most security practices are optional, while compliance is required.
That said, it becomes easy to see how security and compliance play hand in hand with risk management and compliance enforcement (as well as auditing) has its roots in enterprise security. However, that realization does nothing to ease the burdens of compliance and security - yet it does give some insight into how those burdens can be reduced.
Simply put, it becomes a matter of efficiencies - one where unification of risk management, security management and risk management can lead to an economy of scale. In other words, unified management of those three distinct, yet intrinsically related elements can bring about efficiencies that lessen the burdens imposed, both in time and budgets.
Nevertheless, it takes more than an ideology of unification to solve those problems; it takes tangible elements as well - starting with the proper tools. For example, unified security management tools that offer integration and management modules can often combine risk management, compliance initiatives and security controls into a singly managed element, converting compliance to little more than an extension of policy based security enforcement.
With the proper tool set selected, compliance management as well as risk management can become natural extensions of security management, offering managers a clear path to establishing compliance, protecting data and enforcing policy. It will be that holistic approach that will reduce costs, while enhancing the benefits of all three.