Perimeter
10/1/2012
10:21 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Compliance: The Boring Adult At The Security Party

Compliance and security are not the same thing

I’ll say it. “Security is exciting.” Security is where the fighting with the bad guys takes place. It is where spies (malware) operate, attacks take place (denial of service, breaches), and the kingdom is heroically defended (firewalls, access control, passwords).

The information princess is protected by the secret service agents of the business kingdom. Just like a cool video game, the security teams have new battles to face each day, filled with new technology threats, clever enemies, and often, lots of caffeine.

Meanwhile, most would say that compliance is boring. It is administrative in nature: Meet the requirements on a checklist, convince people to follow rules that don’t interest them and create more work for them, prepare for exams (audits), and try to make everyone generally behave. Compliance is the uptight adult that tells security their party is making a big mess and disturbing everyone else in the house.

Usually the most exciting compliance ever gets is on test day, when external auditors verify the work. That can be interesting to some, but for me it has all the suspense of taking the SAT and none of the dynamic energy of a good football tailgate.

Even if assigned to the same person or team, many of the tasks related to security are not the same as those related to compliance. Any organization that believes these are the same job is missing the point on either or both of these roles.

The best organizations accept and embrace the difference. We need security to focus on protection. In this fast-paced world of ever-changing threats, security is going to be up-tempo and at times will tend to be messy, just like a big party.

At the same time, we need compliance to provide a measurable structure and framework for security. Like the influence of a stern adult, sometimes the party needs to be kept in bounds, and the partiers have to understand which kinds of fun are appropriate and which cross the line and adversely affect others (both employees and business processes).

Can security professionals do their jobs well without compliance officials managing their every move? Of course they can. However, being disciplined in security efforts does not necessarily mean compliance is guaranteed.

Like any great party, businesses need a balance between the two extremes of excitement and structure. The organizations with the best security and best compliance have learned to let the two maintain their own necessary personalities while developing an interdependency that keeps everyone happy and safe. I believe we can all toast that!

Glenn S. Phillips serves on the board of directors for a premium tequila importer. He is also the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web