Regulatory and industry IT compliance initiatives generally involve security, but those who implement compliance and those responsible for enterprise security are often different people—and sometimes they’re atodds with each other.
What role should the security team play in any compliance effort? How can security teams leverage the resources and support given to compliance in order to improve overall enterprise security? And while compliance never equals security, how can enterprises maximize their efforts to ensure the best possible integration of the two?
To be effective, IT groups must truly understand and monitor regulatory requirements and take an active part in interpreting requirements and mapping them to controls. Furthermore, IT organizations need to recognize and embrace the fact that noncompliance, even in the absence of a breach, is a threat they must manage. IT needs to take on the mantle of compliance responsibility, expand its mindset to include compliance, and reap the benefits of a broad set of business drivers that can meet regulatory requirements and improve security.
Compliance is a big job that involves multiple disciplines and skills, so it’s no wonder larger organizations, with the resources to dedicate to each task, assign responsibility for the administrative and legal aspects of compliance to a variety of people and roles. Compliance responsibility is often spread among the legal department, privacy officers, audit, human resources and, of course, IT security.
The personality differences between compliance and security staff can create conflict between the groups involved. Legal, audit and human resources departments, whose roles include responsibility for compliance, may view IT and information security as technology geeks who don’t understand the business implications of being found noncompliant with a regulation or contract.
The security people, in turn, may view business departments as dictators who don’t understand the cost and effort it takes to implement controls required for compliance that, in their opinion, do nothing to improve security. It is common for security experts to question the reasoning behind the level of formality, documentation and bookkeeping necessary to comply with regulations and contracts when there is "real work" to do to secure the enterprise.
The schism between these two parties is no different from the one that often exists between business management and technology teams. The business does not understand the technology, and the technology group does not understand or appreciate the compliance requirements.
In a situation where there is little common ground, the team with the bigger budget wins. Hence, the relationship between compliance and information security becomes one-sided: Compliance dictates, and security implements. Security may argue cost, but unless it can provide clear accounting arguments, this just increases the pressure on IT to find less expensive methods to achieve compliance. Again, the burden falls on IT or information security specifically.
It may seem natural for compliance and IT to be adversaries, but both departments and companies as a whole are better served if IT can view compliance as a security requirements driver rather than an impediment. As noted, regulations and contractual requirements provide some of the most compelling arguments for better security. If the groups can work together effectively, compliance can be a powerful tool to justify budget for much needed security controls.
Most of the burden of cooperation inevitably falls on the technology groups. This is only fair, given that IT stands to gain. Technology needs to embrace regulations and contracts as legitimate security requirements, and work with compliance to find solutions to compliance problems and simultaneously achieve operational security goals.
To learn the five steps of harmonizing security and compliance efforts, download the free report.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.