Security and Compliance - Strange Bedfellows Indeed

Published 01 May 08 01:24 PM | Rafal Los 

  It's a classic problem of which came first... the chicken or the egg?  politics or corruption?  security or compliance?  While I admit, it's not such a strange thing to see the two groups working together these days... I would like to point of some of the issues that I've come across between these two very important groups in today's enterprises.

  The issue of compliance is much like the issue of legal counsel.  All large enterprises, and even most small business have someone that's responsible for compliance - occasionally you'll see an entire department dedicated to the daunting task of keeping up with regulations, compliance policies, and the ever-changing landscape of procedural accountability.  Oddly enough, there is not a one-to-one relationship between the compliance department and a security department.  I've spent a large portion of my IT career in situations just like this and I would like to share some of my understanding with you.

  Compliance, while not always a necessity in private businesses, is almost always present in larger, pubilc enterprises.  The compliance department is responsible for making sure the business is in-line with self-imposed corporate regulations and policies, industry-consortium regulatory guidance, government oversight and policy even international laws too!  It's amazing these groups can even keep this stuff straight, right?  What's equally amazing is how often compliance relies on IT Security for guidance and implementation of compliance components. This of course begs the question - would IT Security exist in some organizations if there was no compliance stipulation for such groups?  On the flipside of that... in a perfectly secure world where no one is ever malicious - what would be the need for the compliance group?  So while it may be a stretch to say that one group cannot function properly without the other (I will concede that they can, albeit poorly) each is heavily dependant on the other for its very existence within a business.  This is where I find some strange... interactions.

  As I've stated, the security team often carries out part of compliance policy or regulations; or performs audits to ensure that the same regulations are being followed - but I feel like even in these cases the synergies between these groups are under-utilized.  I can't count the number of times I've been turned down for an IT Security initiative (which made perfect business sense, by the way - but was simply under-funded) only to push that same initiative through under the guise of a compliance regulation - through the compliance team.  In return... the compliance teams I've had the pleasure to work with have repeatedly called upon my security resources to be the "muscle" behind their policies.

  As I travel and talk to different groups about Application Security, I am agaff at the number of times that I get an entirely blank stare when I try to explain how leveraging compliance is a sure-fire way to get security initiatives done.  Here's my reasoning... see if you disagree...

  • Compliance is a "necessary evil" which exists to keep the business in good legal and regulatory standing
  • IT Security exists to keep the balance of risk/reward within the business IT as balanced as possible
  • IT Security should be looking to enact initiatives which work to support the business

  If you take all 3 points above as truth (and I firmly believe they are) then it's a logical next-step to say that IT Security initiatives and Compliance initiatives will greatly overlap.  An overlap within two very necessary units of the enterprise will always, without fail, lend more credibility to their efforts and causes.  If both the security and compliance teams are pushing the same agenda, it becomes very difficult for a business owner to simply dismiss that agenda as unnecessary or frivolous.

  So a lesson-learned here - if you're not already doing this... here are some very simple yet extremely effective (based on personal experience and first-hand accounts) techniques for getting things "done".

  • Open a regular dialogue with your complaince team.  Meet once a quarter, once a month, or once a week as permissable to discuss what you're independently working on
  • Find overlaps in your goals from a non-technical perspective
  • Create a joint strategy for compliance and technical implementation of initiatives previously agreed upon
  • Review business requirements jointly - ensure that both groups understand each other's point-of-view

Given these very simple, and probably obvious, steps - I can virtually guarantee a more successful IT Security goal achievement.  You'll work less uphill, you'll "win" more often, and you'll do a much better job not only understanding but supporting your business - that makes everyone happy.

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Interesting Bits - May 2nd, 2008 « Infosec Ramblings said on May 2, 2008 10:02 AM:

PingBack from http://infosecramblings.wordpress.com/2008/05/02/interesting-bits-may-2nd-2008/

Leave a Comment

(required) 
(optional)
(required)