informa
Commentary

Security And (Or) Regulatory Compliance

Anyone who knows me knows that I don't believe achieving regulatory compliance is a technology problem. Sure, good tech will help you get there. But at it's core, compliance is a processes problem. And a pet peeve of mine has been how the mad dash toward regulatory compliance has, in many organizations, forced CISOs to take their eye off of security.
Anyone who knows me knows that I don't believe achieving regulatory compliance is a technology problem. Sure, good tech will help you get there. But at it's core, compliance is a processes problem. And a pet peeve of mine has been how the mad dash toward regulatory compliance has, in many organizations, forced CISOs to take their eye off of security.David Mortman, who I last spoke with while he was CISO at Siebel Systems (prior to the Oracle acquisition) is a regular speaker on the infosec beat, and he knows something about grappling with compliance issues.

Mortman has an excellent take on the issue, which he has posted on (former Gartner analyst) Rich Mogul's security blog, Securosis.

He outlines the importance of what he labels the three elements to leveraging compliance for security. They are separation of duties, need to know, and change management. These are areas where compliance efforts can aid IT security.

While attaining those attributes is challenging enough, perhaps, in my opinion, the organizational communication aspects of security and compliance are the hardest part. Here's Mortman's take on the importance of communication.


Technology may enable -- or inhibit -- change, but it does not drive change. Consistent communications must exist, however, between functional areas (e.g., information technology) and lines of business (e.g., product engineering or consumer loans). Such communication facilitates incremental adjustments in technology deployment that must be recorded in system configuration documents, process updates, and business continuity plans. The continuous realignment of IT and business practice is comparable to the quality movements in manufacturing processes.

Keeping incremental changes in technology deployments is hard enough, but can be (albeit not trivially) answered with change management databases and similar single sources of truth.

The long-term difficulty is maintaining an organizational attitude of teamwork, where people aren't defending turfs, but working toward the betterment of the entire company. Mortman's post on Leveraging Compliance For Security can be found here.

Recommended Reading: