Why Apathy Around Security is More Expensive than Compliance

I spent some time recently at an ISACA event in Scotland, just days after GDPR went live. The EuroCACS Conference is the premier conference for Audit/Assurance, COBIT, Compliance, Risk, Security, and Strategy/Governance professionals. With sessions covering everything from segregation of duties to GDPR to the dark web, a couple of points really stood out.

First, multiple presenters confirmed that despite increases in phishing, ransomware, and other types of external attacks, the majority of events happen internally. Ransomware makes great headlines, but common fraud and financial statement manipulation is still all too common. All of the core principles still apply. Companies need to manage system security, maintain segregation of duties, and perform appropriate security reviews, all in a risk-based framework.

Second, there is no magic solution to GDPR. Traditional governance, risk, and compliance (GRC) activities are critical components of maintaining control of data. In fact, use of a GRC solution was recommended as one piece of five tools needed for GDPR. Principles of good governance don't change, and good governance makes GDPR compliance possible. If a company doesn't have control of its financial data how can it reasonable expect to manage customer data within the environment of GDPR?

Finally, security is going to get harder not easier. There are simply more pieces to manage with internal access, external access, cloud applications, mobile everything, IOT devices, and more, all at various stages of maturity. Having a solid security core is simply not optional anymore. For example, using cloud vendors who can't provide a SOC 1 or SOC 2 report demonstrating their internal controls is simply not acceptable. These have become the minimum standards, not luxuries. Whether it's ...