"As well as challenges in terms of visibility (indentify gaps, prioritise risks and track new threats), time and cost, the organisation must show risk priorities and rank these in version 2.0 of PCI DSS, which increases the complexity of adhering to compliance standards," said Tan. "The threat landscape is dynamically changing, and there is the pressure of time (coordination, reporting and testing procedures)."
"Organisations need to translate IT risks into business risks, to bring IT risk compliance priorities to board meetings," he said. "Without this, prioritising business operations over 'untranslated' security risks is a common pitfall to organisations of all sizes. Also, many organisations may not have the ability to detect breach incidents (active logging and analysis), and sufficient testing to capture vulnerabilities."
Tan said security threats and risk management were becoming part of boardroom-level discussions, A January 2012 study conducted by Forrester Consulting on behalf of Symantec found:
- 70 percent of security decision makers reported increased executive awareness of IT security as a direct result of recent high profile attacks and data breaches
- When asked what changes to their IT risk programme would have the most positive impact on their business counterpart relationships, 47 percent indicated the improved ability to communicate the value of security and risk management in business terms
- More than 40 percent called out the need for more timely and accurate data or more frequent reporting of risk and compliance
Symantec Control Compliance Suite 11
To address these challenges, Symantec enterprise director, risk & compliance. Asia Pacific & Japan, Eric Lam said the company intended to make available the Symantec Compliance Suite 11. "We have a suite of solutions to help organisations meet compliance requirements from perimeter to endpoint, as well as help manage the major sections required by PCI DSS 2.0. Organisations need to go through all 12 sections (key mandates) required under PCI DSS including firewalls, testing, data protection and controlling access to cardholder data."
"Adhering to compliance is an evolving process: as companies mature in their compliance state, they need to stay ahead of the threat vector, to build a sustainable risk programme and connect to business concerns," said Lam. "Most 'mature' companies are aware that info security does shape business decisions. Also, over the last one or two years, awareness of global security breaches involving major companies has started to increase awareness across all sizes of organisations."
"A structured approach by appropriate stakeholders - such as security/audit, IT operations as well as business/management - to address IT risk and compliance involves moving through four major steps (planning and defining policy; assessment; reporting processes; and remediate based on highest priority risks," said Lam. "Besides enabling organisations to evaluate their risk and compliance posture, the latest Symantec Control Compliance Suite 11 enables CISOs to translate their data into actionable insights for business stakeholders, which is a critical business requirement today. In addition, it automates IT governance, risk, and compliance processes, which improves the security of organisations and reduces cost and complexity associated with meeting multiple compliance requirements."
Sign up for CIO Asia eNewsletters.