Work took me to both the RSA show and the InfoSec show this year (whose brilliant idea was it to schedule those two shows back-to-back, anyways?). Wandering around both shows a little, and talking to some of the vendors, it struck me that:
- there's a whole lot more that IT organizations have to comply with in the US... many more regulations affecting IT in more industry sectors, and more teeth in them
- US security vendors have grabbed onto compliance messaging for a few years now. Every security vendor claims to help with compliance, and 2008 seemed to be the year of IT-GRC at RSA.
- some of the US vendors at InfoSec were trying to use compliance messaging in the UK and Europe, I suspect to not much effect.
A few people I spoke with mentioned the Data Protection Act, which has little and lax enforcement. A couple of vendors specifically mention the UK GCS Code of Connection, which applies to government entities connecting to the UK government GCS network. But that's about it. The impact of PCI isn't really being felt in Europe yet either, based on the people I spoke with at InfoSec.
Maybe as a result of the lack of regulations, there were very few active IT-GRC vendors at InfoSec.
I have to believe that European firms are being targeted in the same way that US firms are, both by profit motivated and state-sponsored hackers. The UK has had some high profile data breaches in the past couple of years, although they have tended to be of the "lost laptop, lost memory stick" variety. It will be interesting to see what develops in terms of new regulations in the UK and across Europe. For now, in terms of compliance regulations, and an emerging IT-GRC market, Europe seems a few years behind the US.
Jim
Jim Hietala
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
