Heed Good Advice

In Security advice is cheap and easy to come by. Often it is VERY slanted. Slant can be affected by many things. When talking to the guys in the trenches the slant comes from using the products and how they deem that they protect or don't protect their systems. Sometimes it comes from bias based on what they know and feel comfortable with. Other times the bias comes from vendors who are pushing their products.

I ran across an article this morning that offers some good advice for security professionals. "Have You Read Your Regulations?" by Roger Grimes talks about the importance of reading the various regulations that your company is subject to. Often knowing what is and isn't expected and acceptable is the difference between being compliant or out of compliance. Now don't start thinking that I'm pushing compliance as a means to security. I firmly believe in the adage "Compliance rarely leads to good security but good security almost always leads to compliance". You can have great security in place and be in compliance but make a small mistake that is out of compliance. That is why it's important for those who practice and manage security to be well versed on what is required and expected. Management looks to us when needing a solution to a problem. If they need to send data to a customer or business partner they come to you to find out the best way to do so. Often they come with a preconceived idea of how they will do it and they want to know if it is "in compliance" with the various regulations. When you know answer not only does it keep the company secure and compliant, but it also looks good to management. They know that you are the guy (or girl) that they can trust to keep them out of trouble.

Regulations can be boring and often are difficult to understand but it will serve you well to read and understand them.