Companies are able to make big savings when going for security standards compliance by changing the way they do business rather than remediating their existing systems.
Change the way you do business
Most companies don’t realise that compliance to standards, such as PCI DSS , ISO 27001/2 or many of the other security standards that are increasingly required of companies, does not necessarily mean complete disruption and painful remediation of existing business structures and systems. If approached in the right way it is possible to make big savings by just changing the way you do business rather than to remediate your existing systems parrot-fashion when going for standards compliance.
Ascentor has helped several businesses to understand that by changing their business processes rather than remediating current systems they are able to achieve standards compliance quickly and relatively pain free.
Don’t just tag on controls…
The traditional way in which compliance to standards is achieved is to retrospectively add protective measures to existing business processes and so achieve compliance.
Having worked on standards compliance for many years I often see organisations trying to become compliant with industry standards that their current business processes are not set up to facilitate with any ease. At such times it is worth taking a long hard look at the company and what they are trying to do rather than to try to tag on controls.
…or buy in technology you cannot manage
Many companies I have worked with would otherwise have needed to spend thousands of pounds in buying additional technology that they are just not able to manage in a coherent manner.
I have often come across technology that is wasted because it is not properly set up. The systems managers may not have had the expertise or the time to dedicate to it – it is there because the standard requires it to be there. It is neither effective nor is it doing what it was intended for and is therefore a complete waste of money.
The first law of any technology is that it needs to be managed and the second law is that any technology you are unfamiliar with needs to be managed far more and not less than technology you are familiar with. The problem with standards is that they tend to mandate technologies that many organisations are unfamiliar with or require more management than they are used to.
A brief case study in compliance and cost saving
I worked with an organisation in the entertainment industry that has two main cardholder data acquisition channels; the first is selling tickets and the second is selling merchandise.
- The overall architecture of the organisation was heritage and had been under-invested for many years.
- The organisation was looking to become PCI DSS compliant very quickly due to pressure from their bank.
- The remediation of their existing network would cost in excess of £3/4M.
- With a little lateral thought the ticket sales can be outsourced to the current market leader and the merchandising can be moved from the network to stand alone PED machines (both face to face and mail order).
This de-scoped the compliance requirement and allowed the organisation to redevelop their network to meet their business requirements and not their compliance obligations.
I hope this illustration shows that by making relatively simple business operational changes it is possible to make real savings in standards compliance costs.
Colin Dixon, Principal Consultant at Ascentor and leading authority on PCI DSS and security standards compliance.