This week, I spoke at the International Information Integrity Institute’s Forum in Dallas. The I4 is an interesting bunch. This member’s only event brings infosec practitioners from around the world to swap war stories and hear about new trends. I was blown away by the attendees and the raw frank nature that they discussed their issues.
“Sox sucks.” That was the gist of what one attendee said to me. She outlined the myriad of hoops she has had to go through dealing with SOX. Behind her frustrations was an implied question shared by many attendees – “When will we be done?”
When it comes to regulatory pressure, sadly, there is an inverse relationship between how tightly written the regulation is and how long it will take to be compliant. The tighter the reg, the less time it will take, and vice versa. PCI is fairly tight, whereas SOX (and its interpretations) are pretty loose when it comes to IT.
When it comes to major IdM projects, they often get presented to the enterprise like a decree from the Kremlin: “Good news, Comrades! We have a five year plan for achieving compliance through user provisioning. We shall be victorious.” The reality is that it really may take five years, but there’s no way you’ll sell upper management going that route. Successful projects use guerrilla tactics; find a small target, plan thoroughly, achieve the goal, move on to the next one. You can make the big five year plan work by stringing small victories together to achieve the end goal.
Unfortunately, in this litigious world, getting to “done-ness” is getting and harder. The good news is – every small victory and all the steps we take along the way make the business better.