Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged Compliance Checklist

Friday, February 12, 2010

Are you driving yourself insane with compliance?

By Pete Russo, Senior Marketing Manager, BT Global Services

Is compliance enough for your organization to be secure?  BT’s Jason Stradley recently wrote in CSO magazine how companies confuse a completed compliance checklist with ironclad security.  Interestingly, Stradley says, “… compliance is a poor excuse for security”:

Approaching this from the direction of building specific solutions or groups of solutions to answer each compliance requirement will ultimately lead to an overall security posture that is lacking basic elements and is inherently insecure.  Such an approach may create a security function that is more reactionary than it was prior to having the regulatory compliance variable factored into the mix.  This leads us to the undeniable realization that while a byproduct of security is compliance, the reverse couldn’t be further from the truth. Given that realization, hopefully we can all be somewhat in agreement that compliance is a poor excuse for security!

If you need evidence, look at the Heartland Payment Systems breach.  This major breach has taught us that compliance alone is not enough to stop an attack.  While Heartland was compliant with the PCI DSS requirements, the company still experienced the biggest breach ever involving payment card data.

Clearly, compliance is not enough.  As more organizations accept this fact, we must look at how we can accomplish a comprehensive security program that is a strategic function of an organization. Here’s what Stradley recommended:

  • Develop a long term plan or “road map” for information security within your organization and include provisions for the known compliance requirements 
  • Work closely with your senior business executives as you create this “road map,” so that they can understand where you are going, how it will affect their part of the operation, and it will give those business leaders an opportunity to provide you with better information to build it right the first time 
  • Share the vision of your “road map” with your entire security organization and empower them as evangelists of that vision
  • To the extent that your are able, plan for potential future compliance requirements in your road map 
  • Think of these potential new requirements as you build the various security capabilities within your organization. Try to build in the ability to adapt to new or more stringent compliance requirements without major upheavals to current processes, procedures and controls in place

By following these recommended steps, your security team will become less reactionary and more proactive.  This will enable your security programs to become more valuable to your enterprise and a true strategic partner to the business.

Leave us a comment and let us know your thoughts.

Posted at 4:35 PM in SecureCompliance | No Comments »
Tags: , , , , , , ,

Bookmark and Share

subscribe - log in