Regulatory requirements are part of the business landscape for most businesses. Regulatory compliance was cited as a driver for security investments by 40% of the respondents summarized in the March 2009 OWASP Security Spending Benchmarks Project Report. This reflects one of the drivers for the development of industry, state, and federal regulations – the confidentiality and integrity of customer data. Given the myriad types of businesses that draw value from this data, different regulations were developed to address requirements unique to those environments. Unfortunately, most businesses do not list compliance among their core competencies.According to Chris Noell, Executive VP of Product Management for TruArx, most companies only manage about 5% of the compliance requirements. “In some cases, this is because organizations perceive that it will be too expensive to manage all their regulatory obligations so they focus on the ones that they perceive have the most teeth,” Noell said in a recent podcast. This approach, said Noell, can backfire in the long term. The HIPAA HITECH Act, for example, states that the use of encryption to render sensitive communications unreadable exempts the organization from revealing the occurrence of a data breach. Short-term non-compliance may prove harmless if the company is lucky. However, once personal healthcare information is compromised, that company would have to announce the breach.Many companies believe that the requirements covered in the few regulations they do comply with are common to other mandates. In order words, by complying with a few, they comply with all. Edward Schwartz, CSO of NetWitness Corporation, points out that each regulation addresses requirements specific to a particular business area. “Regulations are just designed to create a baseline,” said Schwartz,” – a minimal acceptable value, security standard, and lexicon for people to speak to when they talk to each other,” within an industry. Noell points out that businesses should leverage technology to assess all their compliance obligations. “One thing nice about having a harmonized database of controls is that you can actually confirm how much overlap there is between various regulations,” said Noell.In order to compete effectively, business must understand the regulatory issues that shape the business landscape. Organizations should assess their compliance obligations. Once determined, governance tools should be implemented to manage these obligations effectively. Related content opinion Positioning the Security Team Through Influence Part 1 Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable. This series explores the common influence styles and their application. By Steven Fox Apr 21, 2012 3 mins Technology Industry IT Jobs opinion From Obstacle to Ally - Repositioning the Security Team Pt 1 By Steven Fox Apr 08, 2012 3 mins Technology Industry IT Strategy opinion Key Sessions at CISO Executive Summit 2011 By Steven Fox Dec 03, 2011 3 mins Business Continuity Data and Information Security Careers opinion Securing User Credentials On Mobile Devices By Steven Fox Nov 15, 2011 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe