Compliance and your data centre: Three things to know

Mav Turner, Director, Product Strategy, Security, SolarWinds | Oct. 24, 2017
Here are three key things you should remember when it comes to regulatory compliance.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Regulatory compliance isn't exactly the most exciting topic, however, it is one of the most important. After all, failing to meet compliance requirements can result in harsh penalties, including hefty fines. Not to mention, compliance standards, such as PCI DSS, Sarbanes-Oxley, GDPR and HIPAA, are designed to ensure the security of your data and the potentially sensitive information it holds. On top of this, government regulation such as Personal Data Protection Act (PDPA) in Singapore aim to protect data from prying hands -- be it companies or cyber criminals; a recent development of the PDPA may mandate organisations to inform customers of personal data breaches as soon as they are discovered.

With that in mind, here are three key things you should remember when it comes to regulatory compliance:

1. Compliant doesn't equal secure

Being compliant is one thing, but being secure is something else entirely. Think of all the high profile data breaches we have seen over the past few years. How many of those companies were "compliant"? Well, quite frankly, all of them had to meet regulations and many did so successfully. Yet they still made data breach headlines.

Thus, it is important to not fall into the trap of thinking that if one adheres to compliance requirements, security is guaranteed. In fact, many regulatory bodies are now making a point to educate organisations that the compliance standards they oversee will not always ensure their company data is secure. You should think of regulatory compliance as a starting point.

Having the right talent to manage such situations is also just as important. According to a recent study conducted by SolarWinds, nearly two-thirds (61 percent) of IT professionals in Singapore indicated that hybrid IT has required them to acquire new skills, while 11 percent say it has altered their career path. These statistics clearly indicate that there is a need for a higher skilled workforce to tackle difficult environments, on top of hiring individuals that can untangle sticky situations.

2. Forget about breach shaming, have a sense of breach sympathy

Due to global data breach disclosure laws now in place and with the upcoming Cyber Security Bill in Singapore, we bear witness to new (and sometimes old) breaches which are not often lost in the coverage alongside commentary on compliance.

These reports traditionally question the competency of the affected organizations (this includes the recent attacks in Singapore, such as the breaches on NTU and NUS), thereby essentially breach shaming the organization. Collectively, we need to get to a point where we have more breach sympathy instead-0"If it can happen to company XYZ, which was compliant, it could happen to us."

Doing so will help organisations ensure that they are constantly on their toes, seeking to improve security posture, and it will also promote better collaboration across the industry. IT professionals have traditionally excelled at sharing information and expertise on a personal level, but we have to begin sharing information at the organisational level to develop collective strength against shared threats. Regulatory bodies will also hopefully step up to participate more fully in this free exchange, which will affect both what it takes to be compliant and what it means to be compliant.

3. Continuous compliance results in increasing complexity, but it can be worth it

To aid in closing the gap between being compliant and actually being secure, many organisations are moving towards a continuous compliance model to help reduce and limit exposure to compliance and security risks.

Continuous compliance involves constantly reviewing processes and quickly making any necessary updates as a result of deviations from their intended performance. However, despite the fact that continuous compliance is effective at eliminating the gaps between compliance and security, it also greatly increases the complexity of managing compliance.

In addition, here are several specific best practices that can help you on your compliance journey:

Being mindful and following good best practices will help to ease the burden of compliance, but more importantly it will ensure that data and potentially sensitive information is held secure.