Risk //

Compliance

6/25/2013
11:18 AM
50%
50%

Ignoring Compliance Is A Real Option

Security and compliance are commonly deferred by choice

Life is full of choices. Lots of choices. We even have choices we don't recognize as available. Business is the same way.

For instance, did you know that both compliance and security are optional for your business? They are choices. Every day your business makes choices about how much effort, if any, it will make toward meeting compliance requirements or securing its assets, for both the physical facilities and its information assets.

"But wait, Glenn! Compliance is REQUIRED of businesses in my industry." OK, but let's be honest and clear: Compliance to laws and regulation may be legally required, but that does not mean your organization and others in your industry have actually chosen to fully embrace every legal requirement.

I bet you could tell me right now three ways your organization falls short of compliance. And you can probably also tell me how others in your industry, working under the same compliance requirements, fall short in even more ways.

If compliance were an actual requirement, like oxygen is to our bodies, then your organization would quickly fail or be closed for noncompliance. Compliance failure sometimes results in business failure, but more often businesses are noncompliant to some extent and continue to operate. They survive, perhaps even thrive, without meeting all legal requirements. The multitude of ambiguities in many laws and regulations only complicate the matter, and many companies consider themselves compliant only by embracing loose interpretations.

Your organization is probably like most. Compliance as a whole is considered a requirement, but the details of compliance are broken down into many smaller elements that are considered optional. Your company's employees choose some areas to bring into strict compliance and others to skimp on. Most organizations want to follow the rules of law and regulations of their industries, and most make a reasonable effort to do so. While the letter of the law may be subject to interpretation, and penalties have different weights, most businesses generally make choices to keep them within at least the spirit of the rules.

Unfortunately, too many businesses, however good their stated intentions, choose to treat compliance as a series of costly add-on projects, rather than the routine behaviors and processes that create true compliance. This misguided attitude often leads them to attempt to cut corners that are usually more costly in the long run, sometimes even costing them their businesses.

The best companies are those that recognize the choices, evaluate them in advance, and then choose how to most efficiently incorporate actions into their processes that make them as compliant as possible.

Glenn S. Phillips hopes you choose wisely. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon8122448976
50%
50%
anon8122448976,
User Rank: Apprentice
10/9/2013 | 6:17:33 AM
re: Ignoring Compliance Is A Real Option
Management in most companies is sooooo arrogant. Compliance is a luxury
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
6/27/2013 | 4:48:46 PM
re: Ignoring Compliance Is A Real Option
When it really comes down to it, an organization that embraces and enforces well defined security practices as core to their organizational objectives will find that compliance isn't that far out of reach, if they aren't already there.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
6/26/2013 | 4:23:24 PM
re: Ignoring Compliance Is A Real Option
Interesting post Glenn. It's easy to go overboard on compliance yet still miss the mark.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11321
PUBLISHED: 2018-05-22
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
CVE-2018-11322
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
CVE-2018-11323
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-11324
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.
CVE-2018-11325
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.