For a company like Citrix, selling solutions across a broad range of industries and geographies, meeting the security and compliance requirements of our customers could easily become an overwhelming prospect. This would be especially true if, like many companies, we approached security in a top-down fashion, beginning with a foundation of standards from ISO, NIST or ITIL, and then addressing compliance on an industry-by-industry and geography-by-geography basis. Instead, we define the core of our security strategy around the requirements of our customer base. In the words of Citrix Chief Security Officer Stan Black, “By creating a single, customer-centric set of policies to enforce, monitor and report against, we can ‘assess once, comply many’—and streamline our efforts to redirect resources to more proactive security work.”
Any large enterprise serves a broad spectrum of customers, both internal and external, with diverse security requirements. Inside the company, accounting, legal, audit, sales, marketing, engineering and HR each have different priorities and concerns based on the types of data they work with, the people they serve and the standards that apply to their work. Externally, the company’s customers may require compliance with an equally varied array of mandates according to their industry—financial services, healthcare, retail and more.
For the security organization, assessing compliance with customers’ contractual obligations for security can involve a dizzying array of spreadsheets used to track requirements by industry and geography. As Stan points out, people tend to look at the world of security and compliance within their own narrow perspective. “I used to work for banks, healthcare organizations, biotech companies and other types of businesses, and I’d write policies on access control for each of them. It struck me that it was the same every time, though called something different. Why not standardize the policy itself, and use a presentation layer to apply industry-specific nomenclature?”
That’s the essence of customer-centric security, the approach we use at Citrix. Instead of approaching compliance piecemeal, we bring together the security experts from each part of the company, including each of the industries and geographies we serve, and work together to establish a single set of policies that reflects the full range of expectations and requirements of both internal and external customers. As a publicly traded company, we have to comply with Sarbanes-Oxley, so that’s part of the mix. Our US customers in finance are governed by the standards of the Federal Financial Institutions Examination Council (FFIEC), so we add that as well. We map out all the requirements component-by-component, from hardening to monitoring and reporting, all rolled up into a single dashboard that shows how they overlap.
Customer-centric security helps us achieve tremendous clarity, rationality and efficiency in tracking and reporting compliance. Regardless of the customer who’s asking about our security policies, we have a single place to look for the information; it’s just a matter of reporting it to a different group each time. Again, we can assess once, comply many.
We can also respond more quickly to incidents and changes. If an incident occurs, we can easily identify all the regulations under which it meets the threshold for mandatory reporting, instead of having to sort through separate spreadsheets for each business area. If we make a change like requiring more characters for user passwords, we can see how this will affect our compliance with the full spectrum of regulations instead of tying up a small army of staff to check boxes one by one.
More and more companies are beginning to take this approach, and for good reason. By simplifying the way we assess and report our compliance with customers’ security requirements, we can direct our staff to more strategic, proactive security measures. Stan Black will be presenting a keynote on customer-centric security at InfoSeCon in October. To learn more visit citrix.com/secure
About the author
Stacy Bruzek Banerjee is the director of solutions marketing for Citrix and is responsible for global security, business continuity and BYOD solutions. Prior to Citrix, Stacy worked to build Guidewire to explosive growth and a successful IPO. She has held marketing leadership roles at Oracle, Symantec and VISA, where she focused on data management, security and collaboration. She holds a bachelor’s degree from the University of Minnesota. Feel free to read more of Stacy’s blogs.