Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Teleconferences
Join CIO Executive Council members and participate in the following live one-hour teleconferences:
* Transforming IT Teams
September 16
* Global CIOs: How to Lead on the World Stage
September 18
* Social Responsibility's Strategic Benefits
October 29
Apply today for a FREE subscription to CIO Magazine!
Crushed by Compliance Tyrants
Are you beset by compliance regulations that just don't make sense? Cutting back on important security measures to pay for them? You're not alone. These tips can help protect you from compliance junkies--aka auditors.
May 29, 2008 — CIO — It was a dark and stormy day. Tornadoes had touched down within 100 miles of the bank's data center. The data center was at the top floor of a tall building. Phil Wherry, a consultant currently serving telecom and healthcare clients, had driven over to the bank that day—a few years ago—to do a gig as security auditor. Wherry got to the facility and started asking the IT people about disaster recovery. "I said, 'You've got this nice data center up on top of this building—what do you do if a tornado takes the roof up?' The guy said, 'We have a backup facility in New Jersey. We have all the equipment necessary to failover bank operations,'" Wherry recalled. OK, Wherry thought. Not bad. "We test it annually," the staffer said. OK, Wherry thought, You've done your homework. "One of these years we hope it works," the bank employee concluded.
You can laugh, but you probably won't if you're one of the many security staffers throughout the land who are subject both to the whims of badly written regulatory compliance rules and to the tyrants—a.k.a. auditors—who have the power to enforce them, often at the expense of actually securing anything at all, as well as at the expense of security budgets that could actually secure something. [Also read Your Guide To Good-Enough Compliance.]
In this case, there was an audit requirement that the bank—which Wherry declined to identify—have an annual failover test. Unfortunately, the requirement didn't require the failover to succeed or that it had to be remediated if it failed. So that's what the bank was doing: testing and hoping it would work. . .someday. [Also read Compliance, Convergence and How IT Fits.]
In the security field, these are the people causing the most damage for CIOs: the "security and compliance people who have no real knowledge about what's needed," says Alan Paller, director of the SANS Institute.
The problem isn't limited to failover tests that don't require success. The problem also encompasses, for example, wasting money on purchasing consultants to write reports that collect dust on a shelf or other budget blunders, Paller says. "You take money out of the budget to buy a report that no one will read because some compliance guy says you have to," he says.
The disconnect between regulations and security has even caught the attention of Capitol Hill. One example: Fisma (Federal Information Security Management Act) compliance is up. The Office of Management and Budget reported that in 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan and 95 percent had tested security controls. The appropriate response: something along the lines of "whoopty do."
Email, blogging and mobile devices are important business tools, but they expose enterprises to legal, financial and regulatory risks.
Outbound email is essential to running any business today — allowing us to share information, work with partners and even interact with customers.
When it comes to technology investments, virtualization demonstrates drop-dead-obvious ROI.
Growing regulations are pressuring enterprises to find effective, affordable and easy email encryption solutions.
Today, there are many ways to approach email security — the question is: what deployment model is right for you?
Stop mobility from jeopardizing PCI compliance with these best practices.
Regulations Shift Focus on Outbound Email Security
Johnson Controls Power Solutions Europe
Governance, Risk, and Compliance Management: Realizing the Value of Cross-Enterprise Solutions
SAP Solutions for Governance, Risk, and Compliance
SAP Case Study: The United Illuminating Company
Find out what Forrester says about mobile endpoint security and its management.
Enterprise Content Management: From Strategy to Solution
Get a grip on your mobile workforce Webcast
Enabling the Global Enterprise
The Great Email Security Debate: Appliances, SaaS, or Virtual?
Selling IT's Strategic Benefits to Business
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Fujitsu Siemens Shows Its First Netbook
ITC Will Hear Microsoft Complaint Against Taiwanese Co.
Zambians Use SMS to Mourn President's Death
Firefox Luganda Translation Now Available for Download
Sierratel Gateway Operation Contract Extended
Zambian Regulator Calls Meeting with Service Providers
Sprint's WiMax Service to Include Local Features
European Court Won't Stop UK Hacker's Extradition to US
Japan's Ricoh Buys Office Supplier Ikon for US$1.6 Billion
Nortel Uses USB Drive to Secure Remote Work
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
