Servers & Systems: The Right Compute

How much security compliance is enough?

All organizations, regardless of size and industry, need to protect their data. By following compliance standards as much as possible, businesses can improve their security posture.

Security compliance_blog_417862336.jpgIn many businesses, IT staff is accustomed to working within budget limitations, despite the rising demands of investing in new technologies like automation, efficiency, and hyperconverged infrastructure. According to the 2019 Spiceworks State of IT report, about 35 percent of IT departments in small or mid-sized businesses are planning a budget increase, but just over half plan to keep it exactly the same.

IT departments should focus on using their budgets, no matter their size, to acquire the most secure infrastructure needed for their businesses. In addition, IT staff should add security compliance to their ever-increasing list of duties.

But how much time should be spent on security compliance and audits? And how can you manage the compliance issues most relevant to your respective industry? These are questions that the IT leader must consider in order to best use limited resources.

Comply with everything?

Security compliance is a minefield, and complying with too many standards is pointless. Aside from the mandatory standards, organizations should try to select only those that add business value.

For example, defining client payment data is important to most businesses, but it may not be the top priority for all of them. "PCI DSS (Payment Card Industry Data Security Standard) compliance is a headline standard for many small businesses," says Ian Rowlands, vice president of product management and metadata at ASG Software Solutions.

"The nasty truth is that it's only a tall tree in an extensive forest of regulations. From Occupational Safety and Health Administration (OSHA) standards and Environmental Protection Agency (EPA) regulations to Health Insurance Portability and Accountability Act (HIPAA) and many others, the list varying by industry can be overwhelming."

Businesses should take baby steps when it comes to security compliance, starting with a security standard that is easier to comply with, like the ISO/IEC 27002, which deals with end-to-end security.

"It is easy to understand, and it is up to the company to determine the level of detail. For example, it does not dictate that passwords be eight characters long. It requires that you have a secure log-in control," remarks Jeff VanSickel, principal consultant and compliance practice lead at SystemExperts.

Plan carefully

Though not all compliance requirements concern security, IT will likely be involved in the careful planning required to achieve and maintain compliance in almost all cases. "Consider strategy and tactics" along with "inventory resources to be managed," said Rowlands. "Define management policies, analyze risks for each resource type, expect that you will suffer an attack, and make contingency plans." Keep your IT infrastructure simple, and outsource to service partners where possible.

You may already be unofficially compliant

When your company bought its first server, it already had to conform to the information security process. However, "the problem was the company opened up the box, installed the server, changed some settings in the name of securing the server, and it didn't document any of it," VanSickel explained. "When asked if security is in place, IT can say yes, but IT can't prove any of it."

To prevent these headaches, try to keep the documentation from when you first secured your environment. If it's already too late, you can at least plan your budget knowing that all you need to do is prove compliance in those areas.

IT solutions for all businesses

Above all else, remember that information security programs are not just for technology companies. "I worked with a CEO once who said his company made dresses. He asked why it would need a security program," VanSickel said. "I explained why knockoffs of his dresses were showing up before his company had released the dress to the public. Dress designers weren't encrypting the designs being sent overseas to make samples, and someone along that path was stealing the designs, replicating them, mass-producing them, and getting them to market faster."

SMBs of all industries are a major target for hackers, according to a 2017 report compiled by The Ponemon Institute, and they're experiencing increasingly sophisticated attacks at a higher rate. It's clear all organizations, regardless of size and industry, need to protect their data. By following compliance standards as much as possible, businesses can improve their internal corporate security profile, while proving their security posture to industry peers and clients.

For more information on how SMBs can overcome other common challenges they face, check out IDC's SMB predictions for 2019.

Ready to take the next step? Check out the SMB Hybrid IT for Dummies Guide. Because there are no "dumb" questions!

Are you ready to purchase? Visit the HPE Store.

Featured articles:


0 Kudos
About the Author


Robert has over 25+ years of IT Marketing and Product Management leadership experience spanning country, Regional and WW organizations. Robert is a marketing executive with extensive experience in field marketing, channel marketing and product marketing on a global basis and is driven to deliver SMB’s end-to-end affordable infrastructure that’s secure from the start, optimized for every workload, packaged for many consumption models, ready to scale, and easy to manage.