You’ve got policies… now what?
One common problem we’re finding across enterprises is that they have lots of great policies for how their security is supposed to work. But when you ask them how are they monitoring and making sure that their controls actually work, you get blank stares.
This inherent problem manifests itself in multiple ways that affect your budget. The legal system is getting more sensitive to electronic evidence issues and not following your data retention policies is highly frowned upon and a fine-able offense. Other security researchers have found that it is more cost effective to automate compliance functions rather than hire consultants. These internal controls also satisfy the desires of management for metrics on how security dollars are effective. The next steps for many security professionals is not to just chase down the newest vulnerability, but to test and validate that their security controls (both technical and process oriented) are working. In this way you’ll justify your investments and reduce potential expenses in the long term.