I've got mixed feelings regarding compliance. On one hand I like it because it is forcing many companies to do things that they wouldn't normally do to better secure their network. On the other hand too many companies are only doing what they have to do to pass their compliance
audit. They are checking the boxes on their compliance checklist and missing a hole somewhere because that area isn't on the compliance "watch list". They may be making the auditors happy for now but what about next year when they come back? What about next week when the bad guys find your vulnerability? After that happens you are going to then be forced to take action to fix the problem. Only it may be more expensive and difficult to fix than if you had done it when it should have been done. Not to mention the clean up costs.
Compliance is not the reason to secure. You secure because what you have on your network is worth something to your business. You secure because a breach will hurt your business and possibly destroy it. You comply because you have data that is valuable to other people. Things such as customer and employee data, credit card numbers, social security numbers, etc... All of these things are "protected" by your compliance checklist, but if a hacker gets into your network through some venue that is not on the checklist it doesn't really matter what is checked and what isn't.
When considering security for your network you have to look past compliance and look at the "real" picture not the one painted by GLBA, SOX, HIPAA, PCI or any of the others. Listen to your IT Security staff (or those who have a clue), listen to consultants, VAR's, Vendors etc... Don't just cast them off as either trying to get all the cool toys to play with or trying to sell you more than you need. Yes, those things happen, but you should at least consider what they have to say and look at it with an eye towards gaining knowledge on what will really make you secure.
Too often companies look at the bottom dollar and what will fill the check boxes. The only problem is that the check boxes keep increasing in number and the bottom dollar can't been seen because of hidden costs that you can't know about.
Security's Everyman
Thursday, June 21, 2007
Why do security?
Posted by Andy, ITGuy at 8:18 AM
Labels: Andy ITGuy, audits, compliance, information security
Subscribe to:
Post Comments (Atom)
3 comments:
Hi Andy
This is also the problem I have with compliance. I beat on the PCI guys every other week or so about compliance v/s risk management.
My distillation of what you're saying
Couldn't agree more.
Great post Andy.
I wouldn't be suprised if those companies that are doing the bare minimum to check off compliance are the ones who wouldn't do anything at all without the compliance. In this way, compliance is really just pulling up (not driving up!) the bottom rungs of the ladder by using economic incentives (i.e. penalties if you miss the marks). Of course, that means it needs teeth or it fails.
On the other hand, while compliance pulls up the bottom line, it can give those bottom-dwellers a very real false sense of security, and that sense can bleed into ranks of companies up above. In fact, companies who are well above the mark may have execs who second-guess why they are spending so much money when compliance is way down there.
Overall, it is a real good thing for consumers. For us professionals, I think it depends on our companies.
You're right, the costs
Post a Comment