The Cost of Technology Compliance

The Cost of Technology Compliance

In 2015 while working with a Fortune 1000 company while briefing the CIO I identified three risks to the data center project: 1.) Immature change management process 2.) Nonexistent Release Management process, and 3.) Nonexistent compliance program.

I am sure this thought rings true for CIOs and CSOs (TSO) since they are the GOTO for every significant penetration and/or hack. CIOs and CSOs must answer to the CEO and Board of Directors and this can be a very painful event including leading to loss of job. Think Target hack a few years back.

The cost of compliance can be quantified against many different factors, such as loss of dollars per hour or day, brand damage, etc. The preference here is for IT to stay ahead of hacks, if that is even possible, to mitigate customer losses.

How challenging is compliance in today’s environment? Difficulty level 10 out of 10. If you don’t believe me, then how do you explain away the block chain hacks in the last year totaling almost $1B in direct investor losses. I predicted in 2015 that block chain was hackable because of network skipping and Ips can be replicated, thus, hacked.

I’m reminded of two tangents, the first is CLOUD and the second is assessments. The first, CLOUD should be a team (Architecture Control Committee) consisting of your Architect, Security Team, Network Team, Storage Team and associated teams which are impacted such as UNIX, Apps, DBs, etc.

The challenge in private/public/hybrid CLOUD or MSP CLOUD is what the provider guards against and what the client guards against. Configuration issues demand that the Client adhere to the agreement and configure accordingly with everybody that is impacted. In considering CLOUD services, you may need to prioritize an assessment tool such as ISO 27001/ISO27002 and/or HiTrust or other assessment tool.

The second issue is compliance assessments. Here an organization must apply the appropriate assessment tools which they feel meets industry best practices. In my current role, CJIS, PCI, HIPAA apply so the question is, “whose assessment do we you use?” FBI manages CJIS, NIST manages 800-53, and so on. The answer lies in each organization’s unique characteristics and the best assessment tool.

I just attended an AWS seminar dealing with their ability to deliver HiTrust Certification, which as you may remember , 3rd-party certification is the hallmark of HiTrust and ISO. My thoughts after hearing AWS is that there is a plethora of vendors who conduct all the mainstream assessments. Choosing a vendor has its own challenges and careful consideration requires due diligence and possibly a weighted scoring tool with DEMOs to evaluate and select a vendor for this important task.

The two components of assessment in technology need to be physical and logical, data center and cyber security. In my past I have developed tools for assessment for NIST, CJIS, and data centers to ensure compliance for CFPB, NCUA, Fed Bank and so on. The key to success for me was creating a rubrik which met the assessment organizations specific targets through a client evaluation step. I created assessments which tracked to specific IT departments and held them accountable for status. Success or Zero Defects doesn’t mean you solved everything, it means that you are aware and have directed a way for you individual teams to achieve the standard.

What have we learned from this information? First, organizations need to appoint within their own organizations an IT POC who will move the organization forward in compliance. Second, the organization must choose the assessment(s) tools based upon the eco-system they maintain. Thirdly, organizations may want to collaborate with their internal Audit Teams so that both teams develop tools to test the readiness of IT and cyber status. Finally, choosing an in-house program or a 3rd-party assessment firm is the final leg for compliance. Organizations must decide on value if developing their internal program will be effective versus paying the extra cost of an external assessment firm like Coalfire or Denim Group whom I have worked with in the past, and the value of their Certification Letter for HiTrust and what that means to an organization’s customers.

I am seeking feedback and if you have any questions for contact me, Dave Howell, [email protected] , 210-618-6566 for more information.

#CIO #CEO #costofquality #rechnicaldebt #compliance #HiTrust #NIST #ISO27001 #ISO27002 #ISO22301 #ISO9001 #NERC #CJIS #PCI #HIPAA #Coalfire #DenimGroup

要查看或添加评论,请登录

Dave Howell, MS, CPPM的更多文章

  • Power of the Persona

    Power of the Persona

    As a consultant I get a chance to work with many companies ranging from small to very large. In my experience, no one…

  • Where will you be in 2024?

    Where will you be in 2024?

    For many Americans December 2023 brought the highest price increases in their lifetime (inflation – see PBS article at…

  • Data Governance Modernization

    Data Governance Modernization

    Data is the new currency — companies are finding new and innovative ways to utilize their data to increase revenue and…

    1 条评论
  • Failure or Opportunity?

    Failure or Opportunity?

    I recently read an article about project failure rates and was struck by the abstract or subjective nature of…

  • The Art and Science of Changement

    The Art and Science of Changement

    CHANGE PROGRAM FRAMEWORK By: Hi Merit? Leaders are responsible for change. Change Managers facilitate the process.

  • DATA HAS SUPPLANTED OIL AS THE WORLD’S MOST PRECIOUS COMMODITY in 2023

    DATA HAS SUPPLANTED OIL AS THE WORLD’S MOST PRECIOUS COMMODITY in 2023

    Have you moved some of your money into digital coin yet? If you have or even if you haven’t yet, consider it is…

  • In Search of the the Servant Leader

    In Search of the the Servant Leader

    Ever wonder why things are going so well at your company? You likely have a servant leader at the CEO position. Let’s…

    2 条评论
  • Headcount is Everything

    Headcount is Everything

    What is CX, or customer experience? CX is everything a business does to put customers first, managing their journey to…

  • Lean Business Envisioned

    Lean Business Envisioned

    I imagine most are familiar with a Center of Excellence (COE) or Portfolio Management Office (PMO). That said, does a…

  • Building the IT Value Stream

    Building the IT Value Stream

    I am struck by a few facts that surround the IT Value Stream. First, a recent survey by Planview? indicated that about…

    2 条评论

社区洞察

其他会员也浏览了