Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Viewpoint: When it comes to enterprise security, is it better to focus on compliance or risk?

Christian Anschuetz and Dan Abdul | April 23, 2013
Many companies focus their security efforts on meeting compliance requirements. But if you are audit compliant, have you in fact addressed all of your risks, or are you just kidding yourself?

Both risk management and compliance are essential, and firms that merge, balance and manage the overlap between the two are most likely to avoid the biggest and most dangerous obstacles to their existence.

Complying with OSHA may very well protect a worker from the hazard of trips and falls and protect a firm from non-compliance fines and/or other sanctions, but to create a truly safety minded culture a company needs to embrace and integrate safety practices into the very core of its business.

A company may likewise be in compliance with data privacy laws; however, without explicit education and process in place to protect its key information, it can suffer massive brand damage. In this situation, an exemplary risk management practice would ensure that data privacy standards were adhered to and, based on the specific risk to the corporation of data breaches, would have created restrictions and response plans to address other potential hazards, such as members of its workforce employing social media tools in an inappropriate, or at least unexpected manner.

As mentioned, non-compliance itself is a risk. The cost of getting compliance wrong today can be staggering. Whether it is UCLA Health system paying $865,000 for alleged violations of HIPAA's privacy and security rules, or Visa's suit against Genesco for $13 million in fines for noncompliance with the payment card industry data security standards, barely a day passes where we don't read about a hefty fine levied against a firm that ran amuck of laws and regulations. Risk management should consider compliance its own risk category, much like credit or market risk.

Regardless of what position a firm takes on the relative importance of risk management vs. compliance, the notion of "checkbox compliance" will never sufficiently protect a firm from the many hazards it encounters. Mere "checkbox compliance" does not come close to equaling true risk mitigation. Had the captain of the Titanic taken a risk based approach to his last voyage vs. a myopic focus on compliance, history would have recorded a far different outcome.

UL is a global independent safety science company with more than a century of expertise innovating safety solutions from the public adoption of electricity to new breakthroughs in sustainability, renewable energy and nanotechnology. Dedicated to promoting safe living and working environments, UL helps safeguard people, products and places in important ways, facilitating trade and providing peace of mind.

Focusing on risk addresses compliance holistically

By Dan Abdul, Chief Information Officer, Minnesota Department of Veteran Affairs

Chasing compliance is an endless proposition which uses valuable resources that could be better spent on an enterprise risk management initiative that clearly defines acceptable levels of risk an organization can address using an agreed upon risk management and governance process.


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.