What not to do in the bid for compliance

Compliance experts have advised organisations not to rely solely on technology in their quest for compliance.

With the Privacy Act under review and the PCI Data Security Standard in full swing, experts believe risk assessment followed by suitable technology will ensure compliance.

Speaking to SC, Dave Howell, RSA’s senior manager of Compliance Solutions said the incredibly complicated regulatory environment has caused organisations to react to individual regulations rather than approach the subject holistically.

“Rather than looking at what their security compliance strategies should be they sort of just look at the standard in front of them and start buying a bunch of technologies in place without really considering the ramifications beyond that one single mandate,” said Howell.

He added: “No vendor is going to make any company compliant. When you look at getting compliant you need a variety of procedures and technologies that range from HR issues, to physical security. There’s a lot of things that need to be taken into consideration.”

Howell was in Sydney as part of a bi-annual visit to local clients. He believes that at some point different regulations overlap and failing to understand this causes a high degree of redundancy and repetition that raises business costs.

“You need to better rationalise them to understand the similarities and how to put controls in place consistently so we’re not managing each of those compliance requirements in a silo,” he said.

In addition, Bryan Stibbard, vice president of sales for APJ at Astaro said customers need to know what they’re actually trying to address.

“What is the actual security risk? Are they just becoming compliant because they need to become compliant or are they actually addressing a risk?”