Many companies feel that information security and compliance spending is a necessary evil and just another cost of doing business. However, Corsis has found that with the right planning and implementation, investment in information security technologies can yield valuable opportunities and attract customers.
Using Corsis+Data, we recently analyzed 40 technology service organizations with revenues ranging from $30 million to $100 million across many industries. What we found was that companies with the highest score exhibited several common traits. These companies deploy technologies and provide independent oversight that automate and enforce security measures to ensure compliance with regulations and best practices. They have turned this expense category into an asset that can attract customers and provide confidence to investors. Below are the top five things that high-scoring companies are doing:
1. Implement an information security framework: There are a number of published information security and privacy frameworks (ISO, HITRUST, NIST, COBIT, etc.) that provide standards and guidance to ensure that an information technology department has addressed a comprehensive information security program. These security programs include organizational, administrative, physical, and technical security safeguards rather than selectively applying security.
2. Address regulatory and industry based requirements: Applicable regulatory and industry security requirements such as HIPAA (healthcare) and PCI (credit card) are mandatory and should supplement one of the information security frameworks rather than be the only measurement. A proactive approach to compliance allows an organization to quickly respond to regulatory challenges, customer or investor concerns, and help build an information asset.
3. Maintain a security compliance and evaluation function: Information security measures should be periodically evaluated independently of those maintaining the security measures. An internal compliance function or external security assessment can assist in evaluating risk, monitor remediation efforts when needed, and confirm that the policies and procedures that the organization believes are in place do in fact exist and are operating effectively.
4. Obtain external certifications: A number of different certifications can be performed by external firms to provide independent reports of compliance with a specified framework. These certifications require effective processes that have been proven over a period of time, must be performed by authorized compliance specialists, and need to be re-certified on a periodic basis (generally annually). External certifications, while sometimes costly, provide the most confidence to customers and investors. Some of the more recognized certifications include:
5. Communicate security and privacy practices: To leverage information security and compliance regulations, a clear communication program must be put in place. Effectively communicating the information security measures that an organization is taking should be tailored to each stakeholder to keep them informed and engaged in security initiatives. These measures can also be used as marketing material on the company website. A Notice of Privacy Practices can be included as well as a website compliance seal or other independent evaluation.
The chart above shows that overall, companies in our study excel in certain areas, however many important topics are falling behind, leaving an increased level of risk exposure.
On a scale from 1 to 5 where one equals a low level of confidence and five equals a high level of confidence, the companies in our study scored an average of 3.35.