Page 12 - index
P. 12
Security and Compliance: A Balancing Act of Inequalities
Wes Withrow, Cybersecurity Expert for TraceSecurity
At some point in every IT security professional’s career they will be asked their opinion on the
merits of compliance and how soon it will be before compliance frameworks get to the point that
organizations are “hack proof.”
The response almost invariably goes like this: “Compliance isn’t perfect but at least it’s forcing us to
talk about security. Nothing is hack proof unless it’s powered off, unplugged from the network, and
destroyed with hammers. Even then your data probably got synced to your fridge without you
knowing.”
This provides us the window of opportunity to explain the difference between being compliant and
being secure. Compliance and security weren’t designed to be packaged and sold as the same
product.
Somewhere in the chaos of the last decade it was falsely ingrained in people’s minds that
companies who protected their data with compliance-driven security programs were immune to
cyber breaches.
Moving Beyond Compliance-Driven Security Strategies
Compliance-driven security is a strategy that is less concerned about improving the security posture
of an organization and more about quickly “checking the box” to keep regulators at bay. It’s the “D
minus” equivalent of passing the bar exam and telling yourself that you’re a great attorney now that
you’ve passed.
The alternative solution that is gathering momentum is a risk-based approach to security. This is the
practice of embedding IT security within the organization as a process and not as a checklist.
Organizations who practice risk-based security continuously identify, evaluate, prioritize, and
balance risks as they change over time. Compliance never goes away with this approach; it just
gets folded into the process.
Compliance historically has been viewed as a painful activity that companies responded to with a
“one day of the year” mindset that usually involves a lot of scrambling to figure out the most basic
information about their networks.
In contrast, risk-based security has been looked at as the ongoing process that addresses the rest
of the 364 days of the year. Being compliant becomes a byproduct over time that eliminates the
scrambling.
12 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
