One of the great movie lines of the 1980s was uttered by Michael Keaton’s character, Jack, in the John Hughes movie Mr. Mom. With his manhood being tested by his wife’s new boss, Ron, Jack responds to a question regarding his home’s electrical wiring.
Ron: “Well, you going to make it all 220?”
Jack: (Confused).
Confusion runs deep when it comes to IT compliance.
Compliance, for the most part, is considered an IT department’s burden. Mandated by industry and government bureaucrats and a drain on financial and personnel resources, compliance has fallen on the shoulders of the chief information officer, chief information security officer, or IT manager. Few organizations have a dedicated IT chief compliance officer— though more should.
Viewed as a necessary evil, many organizations treat compliance monitoring as such. Ask an IT professional about infrastructure compliance, and you will hear reports of exorbitant maintenance fees, long pre-audit cycles, and outside audits with high failure rates. Those who have compliance software generally consider it “shelfware.” Their logic: compliance software is “noisy” and a pain to maintain. As long as it is turned on somewhere, government and industry regulators will stay at arm’s length.
“Look, I have compliance software! I’m paying huge maintenance fees. Check my audit bill. You can’t fine me. I am trying.”
220. 221. Whatever it takes.
This is not the way compliance should be viewed. There is good reason for requiring IT departments to ensure continuous compliance monitoring across their infrastructures. Secure credit card information, social security numbers, patient data, and financial records are key elements to one’s privacy. Properly maintained compliance standards can greatly reduce the risk of loss due to cybercrime.
Before compliance solutions gain across-the-board acceptance, though, a few things need to happen:
- Compliance software needs to be affordable.
- Solutions must be truly automated, continuous, and ongoing.
- Results must be actionable.
Even for the technologically challenged, the first two items above are easily understandable. It is the third item—results must be actionable—that can lead to confusion.
An actionable result means report data must be available in a format that is understandable and offers easy-to-follow issue resolution. Discovering that file abc123 along with 300 others has changed on some server or device is not very actionable. Learning that file abc123 is part of the most recent release of Microsoft Windows is actionable information.
Automated, continuous compliance monitoring software does not have to be expensive. And by choosing the right solution, it does not have to become shelfware, either. When considering compliance automation, look beyond the standard security vendors who provide a compliance product as an afterthought “add on.” Find a vendor who specializes in compliance automation. Compare vendors on price; there can be a wide range of costs. Purchase a product with actionable information that provides a real ROI by reducing the drain on resources caused by pre-audit preparation.
Simplify compliance automation. Reduce the resource drain. Face your IT audit with confidence.
The correct answer—although not nearly as memorable—is, “110 volts, Ron.”
