Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/1/2012
10:21 AM
50%
50%

Compliance: The Boring Adult At The Security Party

Compliance and security are not the same thing

I’ll say it. “Security is exciting.” Security is where the fighting with the bad guys takes place. It is where spies (malware) operate, attacks take place (denial of service, breaches), and the kingdom is heroically defended (firewalls, access control, passwords).

The information princess is protected by the secret service agents of the business kingdom. Just like a cool video game, the security teams have new battles to face each day, filled with new technology threats, clever enemies, and often, lots of caffeine.

Meanwhile, most would say that compliance is boring. It is administrative in nature: Meet the requirements on a checklist, convince people to follow rules that don’t interest them and create more work for them, prepare for exams (audits), and try to make everyone generally behave. Compliance is the uptight adult that tells security their party is making a big mess and disturbing everyone else in the house.

Usually the most exciting compliance ever gets is on test day, when external auditors verify the work. That can be interesting to some, but for me it has all the suspense of taking the SAT and none of the dynamic energy of a good football tailgate.

Even if assigned to the same person or team, many of the tasks related to security are not the same as those related to compliance. Any organization that believes these are the same job is missing the point on either or both of these roles.

The best organizations accept and embrace the difference. We need security to focus on protection. In this fast-paced world of ever-changing threats, security is going to be up-tempo and at times will tend to be messy, just like a big party.

At the same time, we need compliance to provide a measurable structure and framework for security. Like the influence of a stern adult, sometimes the party needs to be kept in bounds, and the partiers have to understand which kinds of fun are appropriate and which cross the line and adversely affect others (both employees and business processes).

Can security professionals do their jobs well without compliance officials managing their every move? Of course they can. However, being disciplined in security efforts does not necessarily mean compliance is guaranteed.

Like any great party, businesses need a balance between the two extremes of excitement and structure. The organizations with the best security and best compliance have learned to let the two maintain their own necessary personalities while developing an interdependency that keeps everyone happy and safe. I believe we can all toast that!

Glenn S. Phillips serves on the board of directors for a premium tequila importer. He is also the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Box Shield' Brings New Security Controls
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15498
PUBLISHED: 2019-08-23
cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh.
CVE-2019-15499
PUBLISHED: 2019-08-23
CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL.
CVE-2019-13139
PUBLISHED: 2019-08-22
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the ...
CVE-2019-15325
PUBLISHED: 2019-08-22
In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a protection mechanism is present when actually it is not.
CVE-2019-15326
PUBLISHED: 2019-08-22
The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal.