Achieve security standards quickly and cheaply

By: Dave James

Date: 17 September 2012

Achieve security standards quickly and cheaply/approved stamp{{}}Many companies are finding it’s becoming more common for them to have to comply to security standards.

These include as PCI DSS, which demonstrates you can hold customers’ payment details safely, or ISO 27001/2 which shows you use adequate, proportional controls to protect information.

Complying with standards like these can seem like a costly process. But if you look to change the way you do business rather than making big changes to your existing systems, you can reduce the cost and associated disruption considerably.

Change how you do business

The traditional way in which companies achieve standards compliance is to retrospectively add protective measures to existing business processes.

Having worked in this area for many years, I often see organisations with business processes that really are not set up to make it easy for them to comply with certain standards.

At such times it is worth taking a long hard look at your company. Instead of trying to tag compliance controls on to your processes, take a good look at how you do things.

Wasted technology

I have worked with many companies that have brought in new technology so they can comply with certain standards. However, often this technology is wasted because it is not properly set up. Managers lack either the time or expertise to use it properly.

This technology is only in these businesses because the standards demand it. It’s a tick in the box, but it is neither effective nor doing what it was intended for. In short, it is a waste of money.

The first law of any technology is that it needs to be managed. The second law is that any technology you are unfamiliar with needs to be managed far more than technology you are familiar with.

The problem with standards is that they tend to mandate technologies that many organisations are unfamiliar with.

How it works in practice

I worked with an organisation in the entertainment industry that acquires customer payment card details in two main ways: selling tickets and selling merchandise:

  • The organisation’s IT infrastructure was old and had suffered many years of underinvestment.
  • The organisation needed to become PCI DSS compliant quickly due to pressure from its bank.
  • It would have cost £3m – £4m to update and improve the company’s systems to the required standards.

With a little lateral thought, we realised that ticket sales could be outsourced to the current market leader and merchandising could be moved to stand alone machines.

This meant the organisation didn’t have to worry about achieving compliance at all, and so could focus on redeveloping its network to meet business requirements rather than compliance obligations.

It does sometimes require some creative thinking, but it’s clear that making relatively simple business operational changes can lead to real savings in standards compliance costs.

Dave James is managing director of Ascentor, a company which helps businesses manage information risk. You can also follow him on Twitter.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.