Vormetric has now reached 1400 customers worldwide, with strong deployments in place and expanding throughout the US, Europe and Asia / Pacific regions. In the vast majority of these customer implementations, compliance in all its many forms plays a primary role in customers’ decisions to deploy Vormetric solutions, and in fact, usually there is a need to meet multiple compliance requirements. Not surprising given the complex web of regulation, industry compliance requirements and privacy laws worldwide. A short snapshot of some of these includes:
- PCI DSS compliance for organizations that need to safeguard credit card data
- USA HIPAA / HITECH for protection of patient ePHI information
- 99 national data privacy laws on the books and another 21 countries with privacy bills pending
- Data residency needs for Global organizations
- Safeguards from data breach notification requirements for 48 of 50 US states
- Financial rules under GLB/SOX
- US Federal agency requirements under FedRAMP/NIST 800-53/FIPS 200/FISMA,
- South Korea’s PIPA data protection requirements
- Australian Privacy laws
- EU Data Protection requirements
Why is compliance such a driver for implementing protection of data? In my view, without the goad of an audit process to drive good behavior, organizations tend to stagnate and keep doing what they already are doing, rather than implementing changes that are needed by the quickly evolving threat environment we are entering. An example, even with the data supplied by people like Verizon and Mandiant, showing that enterprise perimeters are now porous, organizations often won’t move to protect data (beyond firewall, network and end point tools) until a compliance requirement forces the issue. We see this constantly at Vormetric. There are three main reasons for this in my view – inertia, priorities and organizational denial.
Partially this is simple inertia. Many people in IT have invested their careers in protecting their organization with these tools – and until recently it was enough (especially if their organization kept a low profile).
Another reason is organizational priorities. You see this consistently in healthcare, for instance. Patient care is the priority, and organizations focused on this have a hard time justifying data protection to themselves without an external requirement that has to become part of doing business.
There is also the “it can’t happen to me” syndrome – a standard human way of dealing with the many uncertainties and threats we face in life. But when applied to an organization with sensitive data in the environment we operate in today, it’s simple denial, that will eventually result in a loss.
What’s the problem with relying on compliance to drive the right behaviors? It simply isn’t timely enough. Especially when you consider the lag time inherent in passing laws and updating industry body requirements, there is a large lag time built in. For legal remedies – years at best, for industry bodies a fairly high number of months. Look at the lag time for one of the most successful compliance standards – PCI DSS in the change from 2.0 to 3.0. From the time of finalizing on the requirement set, to full implementation, between 18 and 24 months will have elapsed when June of 2015 rolls around and the last of the requirements must be implemented.
So what’s the solution to the problem? We’ve found that organizations that incorporate Risk Management are much more consistent about driving good behavior that makes sense for business. Organizations are starting to realize this – it came up at this year’s Gartner Security Summit, for instance, where Gartner predicted that by 2017 1/3 of organizations will have a Digital Risk Officer in place. A customer story – a great Vormetric customer in the utility sector start up their risk and compliance practice. They evaluated their business, and how best they could mitigate and reduce risk, implementing Vormetric as one of the first solution components. Think about this for a minute. This utility was in the power sector – They undoubtedly have underground gas lines, power plants, large transformer stations, an entire power grid and infrastructure to add risk to their business. But one of the easiest, least expensive ways to reduce their organizational risk was to protect sensitive customer data with encryption and access controls from Vormetric.
That’s an eye opener.