Risk // Compliance
6/25/2013
11:18 AM
50%
50%

Ignoring Compliance Is A Real Option

Security and compliance are commonly deferred by choice

Life is full of choices. Lots of choices. We even have choices we don't recognize as available. Business is the same way.

For instance, did you know that both compliance and security are optional for your business? They are choices. Every day your business makes choices about how much effort, if any, it will make toward meeting compliance requirements or securing its assets, for both the physical facilities and its information assets.

"But wait, Glenn! Compliance is REQUIRED of businesses in my industry." OK, but let's be honest and clear: Compliance to laws and regulation may be legally required, but that does not mean your organization and others in your industry have actually chosen to fully embrace every legal requirement.

I bet you could tell me right now three ways your organization falls short of compliance. And you can probably also tell me how others in your industry, working under the same compliance requirements, fall short in even more ways.

If compliance were an actual requirement, like oxygen is to our bodies, then your organization would quickly fail or be closed for noncompliance. Compliance failure sometimes results in business failure, but more often businesses are noncompliant to some extent and continue to operate. They survive, perhaps even thrive, without meeting all legal requirements. The multitude of ambiguities in many laws and regulations only complicate the matter, and many companies consider themselves compliant only by embracing loose interpretations.

Your organization is probably like most. Compliance as a whole is considered a requirement, but the details of compliance are broken down into many smaller elements that are considered optional. Your company's employees choose some areas to bring into strict compliance and others to skimp on. Most organizations want to follow the rules of law and regulations of their industries, and most make a reasonable effort to do so. While the letter of the law may be subject to interpretation, and penalties have different weights, most businesses generally make choices to keep them within at least the spirit of the rules.

Unfortunately, too many businesses, however good their stated intentions, choose to treat compliance as a series of costly add-on projects, rather than the routine behaviors and processes that create true compliance. This misguided attitude often leads them to attempt to cut corners that are usually more costly in the long run, sometimes even costing them their businesses.

The best companies are those that recognize the choices, evaluate them in advance, and then choose how to most efficiently incorporate actions into their processes that make them as compliant as possible.

Glenn S. Phillips hopes you choose wisely. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon8122448976
50%
50%
anon8122448976,
User Rank: Apprentice
10/9/2013 | 6:17:33 AM
re: Ignoring Compliance Is A Real Option
Management in most companies is sooooo arrogant. Compliance is a luxury
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
6/27/2013 | 4:48:46 PM
re: Ignoring Compliance Is A Real Option
When it really comes down to it, an organization that embraces and enforces well defined security practices as core to their organizational objectives will find that compliance isn't that far out of reach, if they aren't already there.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
6/26/2013 | 4:23:24 PM
re: Ignoring Compliance Is A Real Option
Interesting post Glenn. It's easy to go overboard on compliance yet still miss the mark.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.