The amount of money spent on compliance and data protection is staggering at first glance, but it’s really only a small percentage of the financial and reputational value that a business risks without it.

Research indicates that a vast majority of organizations are not leveraging the appropriate compliance and IT governance procedures. Perhaps it’s our fragile economy, the media or maybe just plain old paranoia, but compliance issues are clearly on the business radar and now have moved from the proverbial kids’ table to the big seat in the board room.

LTW’s second in a series of Exchange events focused on HIPAA, PCI regulations and SAS 70 compliance and was held in Charlotte on Wednesday. More than 60 executives working in these areas throughout North Carolina gathered at Byron’s South End to explore the importance of protecting business, data and especially clients.

The expert panel discussion was moderated by Dan Manley, senior manager at KPMG IT Advisory Services. Also on the panel were Patty Brandow, senior director of Internal Control Compliance at Time Warner Cable; Keith Haskett, vice president of Operations at ATTUS Technologies; and Gideon Rasmussen, vice president of Merchant PCI Compliance for Bank of America.

Recognizing that the Triangle is more known for health care and that the spotlight was on HIPAA (Health Insurance Portability and Accountability Act) at last week’s event in Durham, it was no surprise that Wednesday’s event in the Queen City – more known for financial services and banking – saw the discussion leaning more toward PCI (Payment Card Industry) compliance and SAS 70 – internationally recognized auditing standards for data control.

SAS 70 is an acronym for Statement on Auditing Standard 70. The AICPA (American Institute of Certified Public Accountants) developed and maintains it. It should be noted that SAS 70 is not a bare-bones checklist audit. It involves an intense audit of a company’s data controls by an outside organization.

The audit determines if the enterprise’s information security program is sufficient and if all employees are following it. SAS 70 auditors check the controls that are outlined in the program to determine if they are sufficient for a company’s needs. They then determine if the controls are actually being used.

Today’s IT vendors are starting to recognize that there are a bunch of companies out there desperate for some guidance.

“I see the SAS 70 audit as an investment,” explained Haskett during the discussion.”There was a 47 percent recorded increase in data security breaches over the last year. Customers are not going to want to do business with a vendor who doesn’t take these kinds of steps. It’s a necessary evil to do business today.”

Haskett also noted an interesting tidbit for those looking to get a SAS 70 audit done.

He explained that a SAS 70 Type I audit typically does not do much as opposed to a SAS 70 Type II. Type I audits are a point-in-time audit, but don’t really test the controls. Added Haskett: “We found internally it was good to go through the SAS 70 Type I before undergoing the SAS 70 Type II, but that’s one you really need.”

As for PCI, which is a collaborative effort to achieve a common set of security standards for use by entities that process and store payment card data, there has been a lot of talk recently about its effectiveness and whether it really protect you and your customers.

Most in this space know that PCI compliance is not the end-all of security. Security is a mindset, and nobody can ever say that they are perfectly secure. PCI is the first step to building up security by following the current security standards and scanning your servers for vulnerabilities.

“PCI can have a profound impact on an organization,” said Rasmussen. “But don’t rely on PCI compliance for all your clients’ data.”

Rasmussen noted that businesses really need to take a hard look with the gaps within the PCI standard – things such as sniffing and malware – and not just focus on preventive controls in your risk assessment.

“You want to know if your network has been compromised immediately, not five months after the fact,” he said.

As far as the future, several items came up such remediation, regulation, increased focus on ATMs and virtualization, and even some brief discussions on the psychology of the criminals out there right now.

Brandow of Time Warner Cable added a warning.

“Our current economic downturn will provoke some creativity in criminal activity,” she said. “I think the regulations are going to keep getting stronger as new breaches are being identified. Internal controls are great and mitigate risk, but they don’t eliminate it. You have to identify those gaps and remediate [them] as quickly as possible to make your environment as strong as you can.”

According to Manly, the moderator, controls are not absolute. There’s always going to be a potential weakness.

“Business is organic,” explained Manly. “You must be able to set realistic expectations as well as manage and anticipate change in how you operate your business. “