How to Parlay Compliance and Audit Investments for Improved Risk Management

By Mitch Christensen  |  Posted 2010-11-05 Print this article Print

There is a chronic shortage of man power, money and system bandwidth to deal with the ever increasing number and complexity of IT security threats. What's more, compliance and audit requirements deplete resources that could otherwise be used for fundamental security problems. Here, Knowledge Center contributor Mitch Christensen explains how existing staff and systems can be leveraged to satisfy compliance and audit requirements, with a look at increasing operational efficiency to improve overall business risk management.

In the current environment of limited IT staff and budget, efficiency is everything. Nowhere is this more applicable than for IT security teams. There simply aren't enough staff and systems to meet the ever increasing challenges and requirements posed by compliance regulations, internal audits and business risk management.

In particular, the rise in compliance and audit requirements has often squeezed out resources that might have otherwise gone to fundamental security functions such as tight controls on intellectual property (IP) or effective security investigations. As a result, organizations are frequently left exposed and vulnerable. Within this environment, what concrete steps can be taken to meet compliance and audit requirements while simultaneously ensuring the successful implementation of fundamental security controls?

To start answering this question, it helps to reflect on the daily reality of the IT security team. The bulk of the team's time is spread across a few areas. First, there are mundane operational chores such as firewall and Web surfing policy management, and antivirus or intrusion prevention care and feeding. Of course, there are also the periodic rollouts of new platforms and applications.

Next are the inevitable fire drill activities such as proving that it's not "the firewall's fault" that an application is slow or recovering corrupted PCs or "lost" data. And on top of that, there is considerable time spent on meeting audit and compliance requirements that typically consume precious staff resources in gathering log data from a number of sources, normalizing the resulting data, and compiling required audit and compliance reports.

Summarizing what many IT security professionals believe, one information security architect at a large healthcare system recently stated that "operational efficiency is the biggest challenge facing the information security industry."

Mitch Christensen is Chief Technology Officer and Chief Architect at PacketMotion. Mitch has more than 25 years of experience designing and developing groundbreaking technologies that include distributed systems, search engine software and large-scale data storage solutions for government and commercial customers. Before joining PacketMotion, Mitch was the chief architect and lead designer for Informatix where he deployed an innovative search engine, document management system, and next-generation paperless payment processing systems for governmental agencies. Previously, Mitch served as the principal architect at Centegy Corp., where he led the development of the flagship remote integrator business integration server. Mitch also worked as senior architect at The Dialog Corporation where he brought their proprietary search engine technology and massive online content to the Web. In addition, Mitch spent several years doing research and development in the telecommunications industry. Mitch holds a patent for core remote integrator technology. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel