Compliance in information security management (CISM) refers to organizations’ adoption and implementation of a variety of security controls in technologies, processes, and people to conform to security standards, laws, and regulations. The cost of noncompliance has been rising, reaching an average of $14.82 million per organization in 2017 (Ponemon, Citation2017). In some high-profile cases, noncompliance and data breach cost firms hundreds of millions of dollars (e.g., a $124 million fine for the Marriott data breach in 2018 and a settlement of $1.4 billion for the Equifax data breach in 2017; Belding, Citation2020). Realizing the criticality of CISM, organizations have been investing millions of dollars each year in CISM (Ponemon, Citation2017). However, at the same time, the complexity and scale of CISM have grown significantly due to the fast growth and expansion of regulatory territories and industrial mandates as well as emerging information technologies (e.g., cloud computing and Internet of things). Consequently, CISM stands as a major challenge in many organizations. In this paper, I discuss the role of CISM, pinpoint some specific challenges in CISM, and suggest future research directions.
Role of CISM
CISM in organizations can be mandatory and/or voluntary. Mandatory compliance occurs when an organization is subject to security related laws and regulations. As there is a multiplicity of security laws and regulations applicable to all types of industries, mandatory compliance is inevitable in organizations. A common goal behind laws and regulations is to make involved entities liable for the breach of data privacy and security while forcing them to implement a defense-in-depth strategy that is to build layered protection and defense mechanisms for essential systems and data against various security threats (Frenz & Diaz, Citation2017). As such, many laws and regulations play a role in directly or indirectly guiding and influencing information security management (ISM) in organizations. In other words, when an organization has fully complied, it may achieve a certain level of maturity in ISM. For example, the security rule in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information” (HHS, Citation2020). To be HIPAA compliant, healthcare organizations need to follow the HIPPA guidelines to “protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity” (HHS, Citation2020). Similarly, Payment Card Industry Data Security Standard (PCI-DSS) imposes 12 security requirements in six areas on organizations that handle online card payments (PCI, Citation2022). To be PCI-DSS compliant, organizations have to implement layered defense mechanisms on security including detection, protection, monitoring, and improvement.
Beyond these examples, as the business environment has spanned the globe, organizations inevitably struggle to maneuver among a stack of compliance requirements from domestic and international laws and regulations. To be vigilant on compliance issue, organizations often voluntarily comply with industrial frameworks and standards such as the NIST (National Institute of Standards and Technology) cybersecurity framework and ISO 27000 series. These frameworks and standards serve as a model of best practices in cybersecurity risk management for organizations to strengthen ISM. They also can be used as a guidebook with an organizing structure for organizations to develop methodologies, procedures, and policies to address cybersecurity risks and meet regulatory compliance requirements. For example, the NIST cybersecurity framework claims to “provide a common taxonomy and mechanism for organizations” to build a profile on their current cybersecurity posture and identify gaps as well as continuous and repeatable improvement opportunities to progress toward their target for cybersecurity (NIST, Citation2018). The ultimate goal of these frameworks and standards is to integrate ISM into organizational routine risk management and build cyber resilience, referring to organizations’ “ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems” (NIST, Citation2022).
In essence, compliance has become the crux of, if not equivalent to, ISM in practice. It has evolved to be a key element of any successful organization. However, organizations have been stretching out their sources and are still struggling with CISM to meet continually increasing compliance requirements (Deloitte, Citation2020). In the next section, I discuss some of the main challenges in CISM faced by organizations.
Challenges in CISM
Challenge 1: complexity and scale in CISM
There is never enough compliance as there is never enough security. Many organizations now must comply with multiple laws, regulations, frameworks, and standards to meet compliance requirements and scrutiny. As such, keeping up with rapid regulatory and industrial changes, mapping security requirements across multiple laws, regulations, frameworks, and standards, and implementing new security controls in technology, process and policy have turned into a tediously periodic affair in organizations. Adding more and more security controls to satisfy compliance requirements also significantly increases the complexity of CISM. Some organizations believe that the scale and scope of CSIM have reached a point where CSIM could have a negative impact on business operations (Deloitte, Citation2020). Moreover, the complex supply chain often involves many third-party providers (e.g., cloud service providers). Many third-party providers either have the access to the organization’s internal systems and data or host such systems and data for it, thereby adding another layer of complexity to CISM. Organizations in general have very limited knowledge and control of compliance in their third-party providers but still have liability for their noncompliance (e.g., the Target data breach case in 2014; Hoehle et al., Citation2022).
Challenge 2: overwhelmness and repetition of compliance work in CISM
In CISM, organizations must create a repeatable approach to implementing security controls. To do so, they must identify and document repeatable processes and activities concerning identifying, assessing, and managing security risks. IT departments in organizations are thus overwhelmed by such repetitive, but intensive work. CISM also means creating a security culture in which all employees in the organization are aware of their security responsibilities and compliance obligations (Chen et al., Citation2015). This also means that to some extent, the compliance team is responsible for everyone’s compliance in the organization, which is overwhelming. Moreover, there is plenty of redundant and repeated effort in CISM: different units or branches may work in silos and thus not be aware that the same compliance work has started or been done in another unit or branch. Several security consultants I informally interviewed described their frequent observations of such redundant work in organizations. Additionally, many organizations use external auditors to audit and certify their compliance. Auditing and certification frequently involve intensive documentation work, which is inevitably overwhelming to organizations.
Challenge 3: resource constraints
The complexity and scale of CISM create overwhelmed compliance work that has been exhausting resources in organizations. 87% of firms surveyed claimed that they have exhausted their current resources and capacity for CISM (Deloitte, Citation2020), not to mention small and medium-sized organizations that do not have such resources and capacity at the first place (Untangle, Citation2019). The lack of talents with knowledge spanning both cybersecurity and compliance fields and the security budget restraints are the two main resource constraints in CISM. While these two constraints are not unique in business environments, they are a challenge that cannot be overcome in the short run (Deloitte, Citation2020) and requires innovative solutions.
Challenge 4: compliance challenge brought by emerging its
Emerging ITs bring new security challenges and lead to rapid changes in CISM. Machine learning and artificial intelligence (ML/AI) software can integrate data from various sources to uncover hidden knowledge but may evade the privacy of consumers and cause information leaks. While augmented reality that blends the real-world (as well as its abundant data and information) into the virtual world may crack open a new era for businesses, it may also expose them to new security threats. Interconnections of various devices (e.g., Internet of things) have been a nightmare for CISM. Cloud computing provides an agile and cost-saving IT solution for organizations, but CISM is mainly managed through service level agreements and organizations have no control over or knowledge of compliance practices at the cloud provider. In general, organizations need to develop new expertise in emerging ITs, while being burdened with conforming to new compliance requirements from regulatory bodies for emerging ITs.
A look toward the future
Looking toward the future, CISM needs innovative solutions to ensure its sustainability in organizations. In seeking such innovative solutions. IS scholars may look into the following three directions.
Direction 1: building and using an integrated security framework
In practice, many organizations face complying with multiple security frameworks and various security regulations and laws. This can be especially challenging for small- and medium-sized businesses that are involved in international trade and operation and mandated to comply with both domestic and international security regulations. IS scholars may help this endeavor by utilizing IS tools such as ontology to research how to build integrated security frameworks with updating capability based on industries (the same industry tends to face the same or similar compliance requirements). With such an integrated security framework built, an industry may be able to share outputs in security governance, policies, and procedures, thus avoiding repeating the same compliance tasks (e.g., mapping of regulations and frameworks) in individual organizations. This leads to the second direction for CISM.
Direction 2: building and using reusable modules
One major methodology in cybersecurity frameworks is to guide organizations to build repeatable security processes and procedures in risk identification, threat detection, and risk controls (NIST, Citation2018). This means many security processes and procedures in CISM can be developed as repeatable and reusable modules. IS research has a long history of studying methods and strategies to develop reusable modules and components for information systems (Apte et al., Citation1990; Banker & Kauffman, Citation1991). Modulization can significantly reduce the workload for CISM, given the repetitive nature of CISM. This points to the third direction in CISM – security automation.
Direction 3: using AI, ML, and security automation
Security automation is not new. Security research communities have a long history of developing security artifacts to automate various security tasks and processes such as access control, computer virus detection and prevention, fraud and phishing detection and prevention, and intrusion detection and prevention (e.g., Abbasi et al., Citation2015; Dong et al., Citation2018). However, with the advances in big data and ML/AI technologies, IS researchers can help organizations leverage such technologies to automate various areas of processes and tasks in CISM. One area is risk assessment. IS researchers may build ML/AL models based on rich data (e.g., technical and behavioral, social media data) from internal and external sources for more proactive threat prediction and detection. Another area is to automate security policy enforcement to remove as many human factors as possible from the loop of ISM and thus eradicate human errors in CISM (Cranor, Citation2008). Automatic incident response also can be an area for security automation because the procedures of incident response for a certain incident are relatively fixed or similar across organizations. As such, incident response playbooks can be developed and automated. Documentation and reporting have been tedious tasks for CISM including compliance auditing. IS research can study automatic documentation and reporting in CISM and ease the compliance burden for organizations. Lastly, CISM lacks comprehensive visualization tools to inform the management of the security posture in the organization. How to use data visualization tools for CISM may be of research interest to IS scholars.
In conclusion, organizations face rising costs of CISM and security management in response to rapid changes in regulations and new cyber threats brought by emerging ITs. Through security automation and modulization based on integrated security frameworks, organizations can replicate the best security practice for CISM with a sustainable budget.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Additional information
Notes on contributors
Yan Chen
Yan Chen is an associate professor and Ryder Eminent Scholar Chair in Management Information Systems in the Information Systems and Business Analytics Department at the Florida International University. She received her Ph.D. in management information systems from the University of Wisconsin–Milwaukee. Her research focuses on information security and online fraud, security management, information privacy, and social media. She has published more than 40 research papers in refereed academic journals and conference proceedings, including Information & Management, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems, MIS Quarterly and others. She is a recipient of research scholarships and best paper award nominees, and a member of the Association for Information Systems. She has been serving as a reviewer for many IS journals and conferences, including Decision Sciences, European Journal of Information Systems, Information & Management, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems and MIS Quarterly, and others.
References
- Abbasi, A., Zahedi, F., Zeng, D., Chen, Y., Chen, H. C., & Nunamaker, J. F. (2015). Enhancing predictive analytics for anti-phishing by exploiting website genre information. Journal of Management Information Systems, 31(4), 109–157. https://doi.org/10.1080/07421222.2014.1001260
- Apte, U., Sankar, C. S., Thakur, M., & Turner, J. E. (1990). Reusability-based strategy for development of information-systems - implementation experience of a bank. MIS Quarterly, 14(4), 421–433. https://doi.org/10.2307/249791
- Banker, R. D., & Kauffman, R. J. (1991). Reuse and productivity in integrated computer-aided software engineering - an empirical-study. MIS Quarterly, 15(3), 375–401. https://doi.org/10.2307/249649
- Belding, G. (2020). Cost of non-compliance: 8 largest data breach fines and penalties. Retrieved June 8, 2022, from https://resources.infosecinstitute.com/topic/cost-of-non-compliance-8-largest-data-breach-fines-and-penalties/
- Chen, Y., Ramamurthy, K., & Wen, K.-W. (2015). Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), 11–19. https://doi.org/10.1080/08874417.2015.11645767
- Cranor, L. F. (2008). A framework for reasoning about the human in the loop. Proceedings of the Conference on Usability, Psychology, and Security, Berkeley, CA.
- Deloitte. (2020). The state of compliance survey 2020 edition. Retrieved June 10, 2022, from https://www2.deloitte.com/content/dam/Deloitte/au/Documents/audit/22012021-state-of-Compliance-Survey-Publication-5.pdf
- Dong, W., Liao, S. Y., & Zhang, Z. J. (2018). Leveraging financial social media data for corporate fraud detection. Journal of Management Information Systems, 35(2), 461–487. https://doi.org/10.1080/07421222.2018.1451954
- Frenz, C. M., & Diaz, C. (2017). Anti-ransomwareguide. owasp.org
- HHS. (2020).Retrieved June 10, 2022, from https://www.hhs.gov/hipaa/for-professionals/security/index.html#:~:text=The%20HIPAA%20Security%20Rule%20establishes,maintained%20by%20a%20covered%20entity
- Hoehle, H., Venkatesh, V., Brown, S. A., Tepper, B. J., & Kude, T. (2022). Impact of customer compensation strategies on outcomes and the mediating role of justice perceptions: A longitudinal study of target’s data breach. MIS Quarterly, 46(1). https://doi.org/10.25300/MISQ/2022/14740
- NIST. (2018) Framework for improving critical infrastructure cybersecurity. Retrieved June 10, 2022, from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- NIST. (2022). Cyber resiliency. Retrieved August 16, 2022, from https://csrc.nist.gov/glossary/term/cyber_resiliency
- PCI. (2022) Payment card industry data security standard requirements and testing procedures version 4.0. Retrieved June 10, 2022, from https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf
- Ponemon.(2017, December). The true cost of compliance with data protection regulations. Retrieved May 2, 2018, from http://dynamic.globalscape.com/files/Whitepaper-The-True-Cost-of-Compliance-with-Data-Protection-Regulations.pdf
- Untangle. (2019). smb IT security report. Retrieved August 8, 2022, from https://www.untangle.com/2019-smb-it-security-report/