Matt Ploessel is a Security Architect for the Markley Group.
There is no arguing that a company’s data is one of its most valuable assets, especially in the financial sector. And considering financial institutions are entrusted with keeping company financials, account information, cardholder data and other personal information secure and private, implementing the proper security solutions and protocols is of the upmost importance. In fact, it needs to be viewed as a critical business imperative.
So why is it that so many financial organizations believe that by simply being compliant with industry regulations and requirements, they have also protected themselves against any potential vulnerabilities and security threats?
Many of today’s executives view compliance as a check-box – and move on after the main requirements are met. However, financial compliance standards only scrape the surface of what proper protection should be – and by equating compliance with security and a belief that they’re protected, organizations are missing the danger directly in front of them. At most, compliance regulations should just be the minimum requirements or the starting point for an organization’s comprehensive security strategy.
No one would want to enter into a dangerous situation without having as much protection as possible. You’d be needlessly increasing the possibility that something bad would happen. The same thing is true with the security of your organization’s data. While you may feel safe because you’ve checked off the appropriate box, you’re still vulnerable to other security risks. Assuming you’re protected because you’re meeting a requirement is too risky and ignoring potential dangers. It’s like visiting Jurassic Park and announcing you’ll be safe no matter what because you’re wearing your seatbelt during a park tour. Security is key to every line of business today – and is simply too important to leave to assumptions and chance.
When it comes to security, it’s vital to be proactive. Organizations should look to adopt proactive controls, such as regular vendor audit mandates, to ensure that the organization is continually discovering and implementing the newest and strongest security solutions that work in conjunction with their compliance requirements, whether it be PCI compliance for a financial organization or HIPAA compliance for a healthcare organization. On the security side, with the epidemic of data breaches and ransomware situations facing companies today, it is more important than ever before that you have the strongest protections in place – and that you (or your vendors) are keeping watch of the latest vulnerabilities, so you can be sure you have protections in place. A regular questionnaire can be helpful to make sure your organization and vendor stay aligned on the objectives most important to the organization in the future – and that you are protected and aligned with all future regulatory changes and revisions.
Look to Your Vendors for Compliance Assistance
Many data storage vendors today offer compliance assistance, which can help transition non-compliant companies into compliance. Vendors that offer compliance assistance have the expertise and knowledge to meet the appropriate security needs to safeguard your organization. With regulations constantly being changed and updated, this is helpful as companies without a resident “compliance expert” often are unaware of these updates, and therefore don’t implement the changes necessary to maintain compliance. Selecting a vendor that already has compliance expertise allows your organization to allocate that time to focus on what matters most to the organization’s success.
While many vendors offer compliance assistance, it’s important to vet each potential vendor to ensure their compliance capabilities meet your industry’s requirements and that they are willing to take on the liability in case something goes wrong. For example, the PCI compliance requirements financial institutions must adhere to are different than the HIPAA compliance requirements healthcare organizations need to follow. Companies’ should check that their vendor has a successful track record in meeting and maintaining compliance across industries, in addition to specializing in the company’s specific industry, to justify the vendor’s ability to accurately safeguard your organization.
Another important aspect to make sure your company stays ahead of the curve is to constantly assess emergency security risks and threats. One of the easiest ways to achieve this is with pre-determined metrics surrounding the organization’s security needs that can be used as a benchmark. While you can’t always count on a vendor to inspect everything and have them prove they are doing it right, you can keep track of this through internal metrics.
Checking off your compliance checkbox isn’t the same thing as having a proven security strategy in place or meeting a reliable security maturity level. Re-evaluate your data storage vendor and make sure they are providing regular audits to highlight how they are keeping your data safe, beyond the basic industry compliance standards. This will ensure your vendor has earned your business, knowing that you’ll be on top of the latest industry security trends and will be constantly keeping your customer, employee and company data secure.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.