Managing Business Growth vs. Compliance

0
1303

Have you ever tried gardening? This may seem like a random question, but if you have tried it before you would know having the right tools (e.g. spade, rake, water hose) is critical to the success of your garden. As your garden grows, you will need more supplies and tools, so ensuring you have the “right” things is very important. Businesses and gardens are very similar in this regard, specifically focusing on a business’ IT infrastructure. As a company grows to enable new product lines, improve customer service, reach into new markets and improve efficiency, it’s essential that its IT infrastructure grows with the company to ensure that it’s capable of handling the demands being placed on it by the business.

Where does compliance come in?  

IT growth comes with concerns of how information is being handled. Processes need to be implemented, however in some  industries, it is mandatory that sensitive information is handled securely. One way to give assurances to regulatory bodies, as well as customers, is by following certain security frameworks. Your organization can do this by achieving certifications in ISO27001:2013, PCI DSS 3.0 or having an annual SOC report generated.

However, this is not a case where you can rest on your laurels after receiving certification. Your security program is a continual process where as your IT world changes, so will your security world. Think of it this way, as your IT infrastructure changes, your threat landscape changes dramatically with it.

Best practices for companies

Times are changing, and so is how we conduct business in the workforce. For example, bring your own device (BYOD) is gaining popularity in the workforce, more people are bringing their laptops and mobile devices from home and connecting to the company network. However, this structure presents a whole host of IT security issues on its own. How will the company ensure that their data is safe when employees are using the same device at home and at work, or if that device gets stolen or lost? This could create a potential scenario for another individual to obtain sensitive information on the company through that device.

Also, privacy concerns are now a legitimate issue, as employees will want to ensure any personal information they may have on their device is not being accessed without their knowledge. BYOD is a great example of an initiative that may move the business forward, in addition to making employees lives easier, but creates security issues in the process.

Many of these issues can be solved by ensuring your company is implementing the relevant standards for your line of work/industry. For example, a company in the retail industry that deals with credit card data would benefit from becoming PCI DSS certified, which assures businesses that may use your service, as well as customers, that their credit card data is being handled in a secure manner according to an industry recognized standard.

The role of data storage in compliance

Data storage can also become an issue when discussing IT compliance. Staying with the gardening theme, if you want to increase the amount of plants in your garden, you might have to build a bigger garden; in the case of data storage, as our storage needs increase we need to consider how we will meet them. Companies must consider whether they will continue to incur the increased costs of housing all their data internally, or move to another form, such as a hybrid or external cloud system.

Although this could be a viable financial option, having all that information hosted offsite creates security concerns of its own. Settling for the middle-ground with hybrid cloud potentially provides a company with a more financially sound option than having to expand their internal data centre, and still delivers the essential security. “A true hybrid cloud environment allows organizations to treat private and public clouds as a single entity, moving workloads in and out of the public cloud when necessary without needing to invest in costly and time-intensive migration projects or additional hardware to solve the problem.” [2]

Main takeaways:

  • Business growth is important, however compliance and the security of information is just as important, if not more
  • Compare your processes to global standards to ensure compliance with globally accepted standards (ISO 27001, PCI DSS)
  • Data storage can be a real issue, but there are real solutions
    • Hybrid clouds are gaining traction and can be a great alternative for ample data storage, without sacrificing security

Reference(s):

  1. 7 Biggest IT Compliance Headaches and How CIOs Can Cure Them
  2. Managing the success-compliance balancing act