Opinion
IT Security: Can We Be Compliant and Yet Insecure?
Bill Sieglein on how to go beyond regulatory checklists.
By Bill Sieglein
These laws have been around now for several years. The information security industry has seen unprecedented growth as a result of efforts to comply with these laws. The information security executives' role has expanded far beyond just implementing security technologies. We are now deeply involved in ensuring our firms pass audits, avoiding negative press and keeping our executives out of jail.
For me and my colleagues these laws were a welcomed impetus because they forced our executives to wake up and begin paying attention to the importance of information security. While that new attention brought with it increased budgets and resources it has had a side effect we might not have anticipated. In their zeal to meet compliance requirements (and stay out of jail), our executives have adopted a compliance checklist mentality. "Just get through the audit" seems to be our executives' mantra.
The negative side effect of a checklist mentality is that we focus on getting boxes checked off rather than making sure we are doing the right thing. I use the analogy that there might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one. This is what I mean when I ask, "Can we be compliant but still insecure?"
So how do we overcome this challenge? What can we do as security and compliance executives to ensure that we are ensuring compliance and managing traditional information security risk at the same time? With our budgets likely to be shrinking as the economy slows, we better make sure we are doing the most with what we have.
Here are my suggestions. I like to call this the way to make a security and compliance smoothie.
Start with ALL the Ingredients
Make sure that you know all of the things you want to include in your security and compliance requirements mixture. Remember that the ingredients are not just laws and regulations. Make sure you include your industry mandates, international standards, business partner agreements and your own internal policies. Without all of those you don't really have the complete picture.
Blend them Well
One of the problems I have seen in the past with trying to comply with all those things is that folks attempt to map each control in their environment to each requirement. This ends up looking like the cat's cradle thing we used to do with yarn on our fingers in elementary school. That's not the solution and it sure is not useable or scalable. The better solution is to remove the redundancy by combining like requirements and adding specificity where there is ambiguity. This should result in a new, smaller list of all the things you have to comply with.
compliant
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- 5 Ways to Reduce IT Audit Tax
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
