Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

6/25/2013
11:18 AM
50%
50%

Ignoring Compliance Is A Real Option

Security and compliance are commonly deferred by choice

Life is full of choices. Lots of choices. We even have choices we don't recognize as available. Business is the same way.

For instance, did you know that both compliance and security are optional for your business? They are choices. Every day your business makes choices about how much effort, if any, it will make toward meeting compliance requirements or securing its assets, for both the physical facilities and its information assets.

"But wait, Glenn! Compliance is REQUIRED of businesses in my industry." OK, but let's be honest and clear: Compliance to laws and regulation may be legally required, but that does not mean your organization and others in your industry have actually chosen to fully embrace every legal requirement.

I bet you could tell me right now three ways your organization falls short of compliance. And you can probably also tell me how others in your industry, working under the same compliance requirements, fall short in even more ways.

If compliance were an actual requirement, like oxygen is to our bodies, then your organization would quickly fail or be closed for noncompliance. Compliance failure sometimes results in business failure, but more often businesses are noncompliant to some extent and continue to operate. They survive, perhaps even thrive, without meeting all legal requirements. The multitude of ambiguities in many laws and regulations only complicate the matter, and many companies consider themselves compliant only by embracing loose interpretations.

Your organization is probably like most. Compliance as a whole is considered a requirement, but the details of compliance are broken down into many smaller elements that are considered optional. Your company's employees choose some areas to bring into strict compliance and others to skimp on. Most organizations want to follow the rules of law and regulations of their industries, and most make a reasonable effort to do so. While the letter of the law may be subject to interpretation, and penalties have different weights, most businesses generally make choices to keep them within at least the spirit of the rules.

Unfortunately, too many businesses, however good their stated intentions, choose to treat compliance as a series of costly add-on projects, rather than the routine behaviors and processes that create true compliance. This misguided attitude often leads them to attempt to cut corners that are usually more costly in the long run, sometimes even costing them their businesses.

The best companies are those that recognize the choices, evaluate them in advance, and then choose how to most efficiently incorporate actions into their processes that make them as compliant as possible.

Glenn S. Phillips hopes you choose wisely. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon8122448976
50%
50%
anon8122448976,
User Rank: Apprentice
10/9/2013 | 6:17:33 AM
re: Ignoring Compliance Is A Real Option
Management in most companies is sooooo arrogant. Compliance is a luxury
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
6/27/2013 | 4:48:46 PM
re: Ignoring Compliance Is A Real Option
When it really comes down to it, an organization that embraces and enforces well defined security practices as core to their organizational objectives will find that compliance isn't that far out of reach, if they aren't already there.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
6/26/2013 | 4:23:24 PM
re: Ignoring Compliance Is A Real Option
Interesting post Glenn. It's easy to go overboard on compliance yet still miss the mark.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.