Security's Everyman

Security's Everyman

Thursday, December 07, 2006

Compliance is NOT a driving factor

I found a new blog (new for me) today when they linked to my Compliance posting. I know no harm was meant but I took offense to their accusation that I was letting the wrong thing drive my priorities. All that aside their blog looks to be interesting. I have added it to my feeds so I can keep up with what they have to say and learn from them.

Maybe a little clarification is in order. I think they misunderstood me. I've mentioned before about the major changes coming down the pike for my company. Part of that involves having to bring compliance issues in house that were being handled by a business partner. That means that like it or not, ready or not I have some catching up to do and I have to do it fast. I have to put some things in place to help me prove my compliance. True there were vendors there selling their hype but they are not what made me feel better. I've been doing this too long and dealing with vendors too long to buy into that. I spend roughly 35% of my time dealing with vendors. I know that they play games and I know how to play their games.

What made me feel better was talking to people who have been dealing with compliance issues for several years. They are the ones who gave me tips, hints and ideas that give me some hope in what looked to be an overwhelming task. I still have lots to do and will still have to spend lots of money. Not because spending money makes me compliant, but getting the pieces in place is not a cheap venture when you are starting from scratch.

Compliance is not driving my priorities. Security is driving my priorities. Compliance is just a piece of the puzzle that I have to put together. My priorities have always been a secure network and infrastructure whether or not I had to prove compliance. I practice the mantra "A secure network will almost always be compliant, but a compliant network will not always be secure".

1 comment:

Alex said...

Oh, and also?! There's very little focus on "compliance" in *real* risk management.

The point of my post wasn't focusing on you as much as whomever put on that seminar. Too many folks use the term "risk management" when they have very little REAL knowledge about risk (but lots of knowledge about security).

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.