Change your mind
Security staff are infamous for declaring “security does not equal compliance” whenever the topic of compliance is mentioned by a non-security person. The reasoning behind this is sound: Compliance is a set of minimum requirements and auditable actions or technologies. In some cases, compliance mandates have little to do with security at all, making security staff feel like they’re working on projects that don’t further their cause—particularly frustrating when security is overworked and understaffed.
And in many cases, security understands that compliance just doesn’t go far enough to actually secure a company, its systems, and the data contained therein. Regardless of security pros’ feelings about or beliefs in compliance as a necessity, security teams play a large part in ensuring regulatory compliance mandates are met. When requirements aren’t met and fines or penalties ensue, security staff, themselves, say that negligence constitutes a “fireable” offense.
According to a recent study conducted by Osterman Research on behalf of security provider, Trustwave, 68% of IT security staff report that “failure to meet regulatory compliance that led to [SIC] large fine or other penalty” would be considered an infringement that could reasonably lead to the firing of security personnel. Therefore, on the one hand, security staff are generally quick to dismiss compliance as ineffective; on the other, compliance is of such significant importance to organizations that practitioners realize ignoring it could cost them their livelihoods.
Did you ever think
Digging into this a little bit deeper, maybe the security industry needs a fresh take on compliance. This is not to say that security pros should blindly and suddenly accept that compliance is the be-all, end-all of information security. Some compliance requirements do not affect security controls, it’s true. Some of the mandates don’t make organizations more secure. More to the point, however, while some compliance is a checkbox exercise, much of it can be viewed as laying the groundwork of security. A company’s security team can, by no means, stop at fulfilling compliance, meaning, once compliance mandates are met, there is still much work to be done. True security goes above and beyond compliance and audit requirements—they are separate organizational functions with different responsibilities, inputs, goals, and desired outcomes, after all.
However—and this is a big “however"—instead of rejecting compliance because it isn’t security, perhaps a better way to look at it—and one that can help align security more closely with business and executives’ goals—is to think of compliance as one of the underpinnings of security, the soil (compliance) upon which the foundation (security architecture) is built.
There might be another way
For years security staff have been shaking their fists at management teams who insist compliance is a priority. Has that helped security gain respect with business leaders? There is no demonstrable proof it has. If the Osterman/Trustwave report is any indication, though, security pros understand the role compliance plays in serving business needs, as well as the (potentially severe) consequences of non-compliance. Why, then, perpetuate the dismissal of compliance? Compliance may not be the most fun or interesting or even most effective part of a practitioner’s job in securing organizational assets, but it is quite important to the business, and therefore should be to security teams as well.
It’s OK to explain that compliance and security are separate (but parallel) things, and it’s important for security teams to help executives fully comprehend that complying with rules or regulations won’t secure the business or prevent breaches, loss, embarrassment, or the hefty fees, penalties, and cleanup costs that could occur if the organization has lax security practices and technologies and therefore suffers an incident or breach. All of this is part of the education process, and it may take some time. Regardless of security pros’ personal feelings, compliance and security must coexist, and it seems that security is finally accepting that fact (if the report is any indication). Instead of accepting it begrudgingly, security teams will build a great deal of goodwill with other business leaders when acknowledging publicly that compliance holds a significant place in the IT lifecycle, of which security is part.
Just feel better about today
Security’s goals should include learning communication techniques that help them earn influence with and trust of other business leaders so that the security team can accomplish its job—which undoubtedly goes above and beyond ensuring compliance, but also consists of supporting important business needs. As the saying goes, if you want to change your life, change your mind. It all starts with a fresh look at integrating compliance with security.