Perimeter
10/1/2012
10:21 AM
50%
50%

Compliance: The Boring Adult At The Security Party

Compliance and security are not the same thing

I’ll say it. “Security is exciting.” Security is where the fighting with the bad guys takes place. It is where spies (malware) operate, attacks take place (denial of service, breaches), and the kingdom is heroically defended (firewalls, access control, passwords).

The information princess is protected by the secret service agents of the business kingdom. Just like a cool video game, the security teams have new battles to face each day, filled with new technology threats, clever enemies, and often, lots of caffeine.

Meanwhile, most would say that compliance is boring. It is administrative in nature: Meet the requirements on a checklist, convince people to follow rules that don’t interest them and create more work for them, prepare for exams (audits), and try to make everyone generally behave. Compliance is the uptight adult that tells security their party is making a big mess and disturbing everyone else in the house.

Usually the most exciting compliance ever gets is on test day, when external auditors verify the work. That can be interesting to some, but for me it has all the suspense of taking the SAT and none of the dynamic energy of a good football tailgate.

Even if assigned to the same person or team, many of the tasks related to security are not the same as those related to compliance. Any organization that believes these are the same job is missing the point on either or both of these roles.

The best organizations accept and embrace the difference. We need security to focus on protection. In this fast-paced world of ever-changing threats, security is going to be up-tempo and at times will tend to be messy, just like a big party.

At the same time, we need compliance to provide a measurable structure and framework for security. Like the influence of a stern adult, sometimes the party needs to be kept in bounds, and the partiers have to understand which kinds of fun are appropriate and which cross the line and adversely affect others (both employees and business processes).

Can security professionals do their jobs well without compliance officials managing their every move? Of course they can. However, being disciplined in security efforts does not necessarily mean compliance is guaranteed.

Like any great party, businesses need a balance between the two extremes of excitement and structure. The organizations with the best security and best compliance have learned to let the two maintain their own necessary personalities while developing an interdependency that keeps everyone happy and safe. I believe we can all toast that!

Glenn S. Phillips serves on the board of directors for a premium tequila importer. He is also the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

CVE-2015-0915
Published: 2015-05-21
Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.