In my experience organisations find standards such as PCI much easier to comply with if stakeholders are able to collaborate in a centralised control-oriented process hosted in the Cloud. This has the immediate benefit of helping organisations automate their auditing process. It also gives them an easy way to devolve responsibility for completing questionnaires or sections of questionnaires to those most qualified to provide the answers and centralise evidence collection. This eliminates any need for lengthy spreadsheet-based programmes and frees up highly skilled compliance and risk personnel from time-consuming project administration.
The ability to bridge the intelligence gap between off-the-shelf and home-grown compliance systems is a real game changer. By giving organisations immediate visibility of the status and greater overall control over their compliance programmes it helps them meet their current compliance demands and makes responding to future changes so much easier. Having a control–centric process that embeds demonstrable working controls into the daily routine keeps it separate from the regulatory standard and makes continuous compliance part of everyday best practice.
In conclusion, I believe a continuous BAU approach to information security is essential. Furthermore a cloud-based software-as-a-service approach can make the transition of existing processes straightforward and extremely cost-effective. Improving the security of your organisation is a better way to safeguard against breaches than relying exclusively on ‘tick box’ compliance exercises. A continuous approach to compliance puts controls at the centre of the compliance programme, as opposed to relying on an annual audit, where control activity is performed and monitored throughout the calendar year. This approach provides real-time visibility of the organisation’s compliance status – the net effect being more merchants incorporating PCI DSS compliance into their BAU practices and importantly improving the organisation’s security posture.