Common Mistakes in App Sec Monitoring for Compliance

When it comes to application security monitoring, there are three major mistakes that companies make: Not knowing what they’re on the hook for, an inability to catch mistakes and insufficient or nonexistent follow through. There are a number of things that go into each of these mistakes, so let’s break it down.

Compliance tends to come from legal departments. Info sec plays a part in compliance and can be a bridge, and privacy departments which are typically led by lawyers are involved as well. What happens is these three departments come together and determine that the company should be incorporating certain compliance guidelines and will write an OISP. If your company needs to be HIPAA, PCI or GDPR compliant, your OISP will include language for that. The problem isn’t knowing where the business needs to be compliant, it’s ensuring that the information is disseminated throughout the company.

The first mistake companies make is that companies are not aware of what they’re actually on the hook for outside of a small group. That information is not disseminated through the company at least not in a digestable way. For example, if a company needs to be HIPAA or GDPR compliant, the executives in the company might know that they’re on the hook for 4% of their annual gross revenue as a fine. However, the developers on the front lines of the business have no clue that not having a way to thoroughly delete all of a users info on demand is risking millions or billions of dollars. So step one is ensuring that people outside of the executive pool and the directly complaince-related departments actually facilitate maintaining compliance by understanding what’s on the line if they don’t.

The second mistake is failing to understand that you have to catch ignorance because you can never totally prevent it. Lack of knowledge in compliance is a problem, so even if you’re educating your employees, you have to catch their mistakes. Businesses are compliant on the day they’re audited, they’re compliant on the day they start, but in between those dates if there’s no monitoring, then they aren’t catching the accident and well-intentioned mistakes of their employees. Not catching these mistakes can result in hefty fines on the business.

The third mistake happens when companies actually do educate their employees and disseminate information, but there’s no active follow through. Yearly auditing is not enough. People can prepare for an audit, they can be compliant on that specific day, but monitoring needs to happen more frequently to ensure that compliance is happening day in and day out. And monitoring needs to be active. If, an employee does something wrong and doesn’t realize it for six months, or worse tries to fix it on their own resulting in further problems, the business is still on the hook for everything that has happened and fines have accrued in some cases for as long as it’s gone uncorrected. So, monitoring can’t be passive until it’s audit season.

These mistakes are costly to companies, and if a company isn’t properly prepared to handle the fines thrown at them, it could very well put them out of business. So, ensure that information is disseminated throughout the business, actively monitor employees to ensure compliance is maintained, and systematically follow up to make sure your still complaint between audits. Taking these steps goes a long way toward keeping your business compliant.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY