Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/1/2012
10:21 AM
50%
50%

Compliance: The Boring Adult At The Security Party

Compliance and security are not the same thing

I’ll say it. “Security is exciting.” Security is where the fighting with the bad guys takes place. It is where spies (malware) operate, attacks take place (denial of service, breaches), and the kingdom is heroically defended (firewalls, access control, passwords).

The information princess is protected by the secret service agents of the business kingdom. Just like a cool video game, the security teams have new battles to face each day, filled with new technology threats, clever enemies, and often, lots of caffeine.

Meanwhile, most would say that compliance is boring. It is administrative in nature: Meet the requirements on a checklist, convince people to follow rules that don’t interest them and create more work for them, prepare for exams (audits), and try to make everyone generally behave. Compliance is the uptight adult that tells security their party is making a big mess and disturbing everyone else in the house.

Usually the most exciting compliance ever gets is on test day, when external auditors verify the work. That can be interesting to some, but for me it has all the suspense of taking the SAT and none of the dynamic energy of a good football tailgate.

Even if assigned to the same person or team, many of the tasks related to security are not the same as those related to compliance. Any organization that believes these are the same job is missing the point on either or both of these roles.

The best organizations accept and embrace the difference. We need security to focus on protection. In this fast-paced world of ever-changing threats, security is going to be up-tempo and at times will tend to be messy, just like a big party.

At the same time, we need compliance to provide a measurable structure and framework for security. Like the influence of a stern adult, sometimes the party needs to be kept in bounds, and the partiers have to understand which kinds of fun are appropriate and which cross the line and adversely affect others (both employees and business processes).

Can security professionals do their jobs well without compliance officials managing their every move? Of course they can. However, being disciplined in security efforts does not necessarily mean compliance is guaranteed.

Like any great party, businesses need a balance between the two extremes of excitement and structure. The organizations with the best security and best compliance have learned to let the two maintain their own necessary personalities while developing an interdependency that keeps everyone happy and safe. I believe we can all toast that!

Glenn S. Phillips serves on the board of directors for a premium tequila importer. He is also the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...