Compliance and Security are not the Same Things
Posted March 20, 2017 by Sayers
The EU General Data Protection Regulation was approved on April 14, 2016 and will come into enforcement on May 25, 2018. This timeline leaves little time to perform the work necessary to avoid the stiff 4% penalty (4% of total revenue). Additionally, New York State has implemented a recent regulatory measure where all relevant financial institutions must implement a security program, which includes a dedicated CISO, in addition to expected language, has specific language around governance and oversight of third-party contracts.
For companies who limit their budget to just those items which allow them to check the proverbial box, security is often left by the wayside as the primary focus becomes the satisfaction of whatever regulator is currently first in line. This is the rule, not the exception, when it comes to “compliance-driven security”. The fallacy in this approach often leaves the less-sophisticated businesses with the false pretense that since compliance was achieved, so has the required level of security. This is almost never the case. Imperva’s integrated Database and Counterbreach UBA Analytics helps to bridge the gap.
Imperva’s platform allows businesses to detect breaches by identifying, detecting, and alerting any anomalous database access a company might experience. Without the features and functions offered by the Imperva solution, it’s highly improbable a business would ever know their data repository has been attacked, and their data exfiltrated. The ability to identify, detect, and respond to miscreants, in real-time, is effective security.
Imperva’s solution provides this effective security, but also provides governance and oversight functions as a way to “prove” effective and efficient security. Additionally, governance and oversight groups which could immediately benefit from such a solution include Audit, Finance, Risk, and Legal.
Regulations with accelerated compliance timelines, serious punitive measures, effective breach detection, and implements quickly, provide cutting-edge security, and benefits for a multitude of internal customers.
As difficult as security business cases are to write, I think I would invite an opportunity to write this one.
Sources:
http://www.eugdpr.org/
http://fortune.com/2017/02/16/new-york-state-cyber-security-regulation/