How do you protect sensitive data and networks? The approach you take tends to depend a lot on “size.” For most organizations, their “size” is simply measured by sales and revenue. For organizations processing credit cards, the “size” can be defined by the number of credit card transactions they process. No matter what measuring stick one uses, the larger the “size” of a corporation, the more information and assets it has to protect.
The size of an entity makes decisions around what to protect become more complicated. Most small organizations know the assets and information they need to protect, but often simply aren’t aware of – or simply disregard – regulations specifying minimum security controls that must be in place (e.g. PCI requirements). Large corporations tend to have the opposite problem. They most often are well aware of the regulations that apply to them, but don’t have a clue how to strategically plan around complying with such regulations or requirements.
In a large and/or complex environment, the information and assets of an entity become exponentially more difficult to protect. New regulations and/or requirements stipulate compliance to specific security requirements. For large organizations and corporations that “grew up” without these stipulations, bringing themselves into compliance can be a very daunting task. One good example is identity management. Compliance to section 404 of Sarbanes-Oxley in the context of user provisioning, authentication, and access control can be extremely difficult for large organizations. Legacy systems, lack of a standardized password policy, customized provisioning systems, and inefficient (yet heavily utilized) manual processes are only a few of the major challenges that an enterprise may face.
Another good example is PCI compliance. Large organizations are charged with implementation of very specific controls to protect credit card data. For a large enterprise that evolved without these requirements, this can be a major challenge. Even determining where all the credit card data resides is often a herculean task, let alone architecting and implementing controls to bring the corporation into compliance.
Smaller companies face different sets of challenges. In the case of PCI requirements, many smaller corporations are often out of PCI compliance and don’t even know it until they get a threatening letter in the mail from one of the major credit payment brands. Once they get such a letter, it turns into a scramble to a) figure out what PCI compliance actually is b) figure out how to comply and c) implement the controls to ensure compliance. The smaller corporation may have an easier time determining PCI in-scope systems and environments, but often faces issues that a large corporation enterprises aren’t as concerned with. These issues almost always involve budget and resource constraints.
Bottom line, the challenges an entity faces when attempting to protect their data and networks depends a lot on size – regardless of how it’s measured. Larger corporations have more resources to direct at securing their data, but may have a much more difficult time implementing solutions. Smaller organizations are much more agile, but often simply don’t have the knowledge or resources to get the job done.