Regulatory compliance remains a high priority for many companies, particularly those in industries such as financial services and health care. Some are turning to managed security services as a way to protect data and systems and to ensure that they are compliant with regulations.
Businesses face an array of security-related laws and regulations, including the Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley, Federal Information Security Management, California’s SB 1386 and Payment Card Industry Data Security Standard. Beyond those regulations, many organizations are benchmarking themselves against industry standards or best-practices frameworks such as Control Objectives for Information and Related Technology, the Information Technology Infrastructure Library and ISO standards.
Reluctantly, companies are spending increasingly large sums of money on compliance. In March 2006, a study by AMR Research predicted that total compliance spending in 2006 will reach $27.3 billion. The study — based on a survey of more than 325 North American business leaders and IT professionals — also projected that spending on compliance will rise to $28 billion in 2007.
Three quarters of organizations worldwide must comply with two or more regulations, and nearly half (43%) must comply with three or more, according to a report by the Security Compliance Council — a group formed by the Institute of Internal Auditors, Computer Security Institute and BindView in 2005 to help organizations worldwide meet the challenges and cost of security compliance.
The study, called the 2006 Security Compliance Benchmark Research Report, surveyed more than 200 IT security and compliance professionals at corporate and government organizations worldwide. The findings say that organizations spend an average of 34% of their IT resources on satisfying security compliance for multiple regulations.
Because of the way many organizations have set up their security-management function, chief security officers “appear to be ill-equipped to effectively manage the demands of demonstrating IT security compliance with regulations,” the council report finds. Some companies are seeking help from service providers rather than taking on the task of security compliance in-house. One third of the organizations surveyed by the council are employing professional service firms to “re-align the time spent on demonstrating compliance” and 17% are outsourcing or offshoring security compliance.
Not surprisingly, many companies are searching for a payoff from escalating security investments.
Managed Compliance
The rise of managed security services is well-documented, especially in organizations where security isn’t a core competency. A case in point: The Screen Actors Guild — Producers Pension and Health Plans (SAGPH) has been using Symantec’s managed security service since 2002. SAGPH, which provides health-care and pension services to more than 45,000 members of the Screen Actors Guild and their dependents nationwide, began using the Symantec service to help securely expand its online pension and health-care services.
The Pension Security Act, which protects workers in the event of the collapse of a pension plan, requires that SAGPH expand its online services to include online pension-management tools, real-time updates to information, online reports and online customer support.
“The organization needed to improve the security of its expanding network. But SAGPH has a small IT staff and needed help developing strong security,” says Kevin Donnellan, Assistant CIO, SAGPH, Burbank, Calif. The organization considered hiring security engineers, but decided that it was too costly, and then opted for a managed service to monitor and manage its firewalls and intrusion-detection systems.
“One of the unanticipated benefits is that SAGPH can ensure compliance with regulations, such as HIPAA, related to the protection and security of member health-care and pension information,” says Donnellan.
