I read an interesting article tonight, on my flight out to Washington, DC for the CSI Conference (where I hope to meet some of you... ping me if you're here and I haven't talked to you yet).  This article, titled "The Coming HIPAAcalypse", presented a very grim view of compliance with the HIPAA regulations, but the author could have just as easily been talking about PCI or any other regulation.  As I read this article I couldn't help but think... "What does it have to be this difficult?"  I say this from experience, having been there in the thicket of PCI compliance in a previous job - trying to manage the complexities of budget, compliance need, and resources with frustration to spare - but does it really have to be so hard?

  Thinking in the context of web applications - that's the focus of this blog - everyone has them in their business.  What's more, everyone has mission-critical applications in their business.  Further than that... these applications must be available, usable AND secure... 24x7x365.  This can at times seem like an unattainable goal when you add compliance to the mix.  You know you've been there, and you've wondered how you're going to solve these issues.

 I offer a glimmer of hope.  When it comes to compliance, automation is the key.  You won't get more staff, more budget, or more resources especially with the looming economic conditions so how do you get into the compliance winner's circle?  Automation.  If you can find a way to automate some of your security "testing", you may be able to get complianct faster and have a few dollars left over for other critical security initiatives.  Automation of testing, data aggregation, and presentation of IT Risk as a component of compliance makes it easier to not only assess where your company is on the compliance journey - but also helps to (to use an old cliche) "do more with less".  If you're facing compliance challenges, and web applications are involved... this should ring bells for you.  If you're interested in hearing more, or a message more customized to your specific situation - contact me directly, I may have an answer you can live with.