Audits, Issues and Opportunities in Security Compliance

DSCN2345Security is one of the hardest but most crucial topics to discuss with your business customers. There is often a major disconnect between what they think you can do and what your team actually can do to secure their networks and data. Some still believe their solution providers can offer a 100% guarantee that their systems will never get hacked ̶ when no sane individual would offer that type of assurance. Many customers don’t know the difference between “complying” with standards and regulations and actually being secure. Those misperceptions have to be addressed early on in the solution conversation to prevent major issues (and significant blame) from occurring later.

Those were just a couple observations from panelists in the Common Problems Encountered in Security Compliance session at ChannelCon 2016. Each an accomplished professional in the security field, they detailed a number of issues faced by solution providers trying to document their adherence to laws, standards and best practices for their clients, regulators and insurers.

Session moderator Miles Jobgen, Director of Education for CompTIA, kicked off the discussion with a quick overview of industry compliance requirements. He also shared insight into the CompTIA Channel Standards, including the latest, Cybersecurity, which details a number of measures that solution providers have to take to protect themselves and their clients.

His first question to the panelists focused on how often providers should be conducting security audits. “It really depends on your environment,” said Ron Culler, CTO of Secure Designs, Inc. “There is an increasing amount of pressure being put on healthcare and financial services customers, and the state and federal governments are asking more and more questions. They are essentially asking “why we should trust what you’re doing?”

Tracy Pound, Managing Director of MaximITy suggested setting a minimum standard. “Audits should be conducted at least once a year and it is critical that the results get reviewed. That ensures they have a positive impact since things tend to change each year, including staff, customers and systems.”

“Insurance companies are a factor as well, and we’re seeing audits as a common requirement in more contracts each year,” said Mike Semel, President of Semel Consulting, LLC. “In cyber liability, they typically ask about data, firewalls and encryption, and businesses are only covered if they are doing what is expected at all times.”

Advice from the Experts                                                                                    With the basics out of the way, the conversation shifted to the examination process itself. “I never saw a young auditor,” said Pound. “They are experienced professionals so you don’t want to give them a reason to dig deeper. Auditors want to go through everything bit by bit by bit, and then will get into it a little more if they spot anything out of the ordinary.”

Semel added, “Everyone from the federal government and back examiners are looking for something different, so you need separate documentation for each compliance measure. You want to get them out of the building as soon as possible, so present the information in a way that helps you or your clients pass the audit. Everyone wants things to be perfect before they get audited, but you need to think the next one is just around the corner. When we go in and find issues they are always surprised. We may find all their data is backed up, but only for the servers ̶ their PCs and desktops might not be protected. You’re better off getting an audit so you can be prepared before something serious happens.”

“On the financial services side, the frameworks are the best place to start,” suggested Culler. “If you don’t have them, you’ll spin your wheels. And they are freely available, including within the CompTIA Channel Standards documents. Become proficient at documenting and tracking. You need to be able to show you have the right systems in place and, when auditors want the evidence, you can share and discuss the details.”

An important thing to remember, for providers and customers alike, is that the audit is not the final step. “You may feel a sense of relief, but it’s not the end of the process,” said Pound. “That’s the time for business improvement and for implementing suggestions listed in the audit. The cost of not doing them could be in the millions if something bad happens.

The opportunity for auditing and consulting is huge. “We love compliance because our clients have to do it,” added Semel. Auditing may not be something every solution provider wants to get into, but there are a host of compliance-related services any VAR or MSP can offer. It just depends on your team’s skills and comfort level with the processes.  

Leave a Comment