These laws have been around now for several years. The information security industry has seen unprecedented growth as a result of efforts to comply with these laws. The information security executives' role has expanded far beyond just implementing security technologies. We are now deeply involved in ensuring our firms pass audits, avoiding negative press and keeping our executives out of jail.
For me and my colleagues these laws were a welcomed impetus because they forced our executives to wake up and begin paying attention to the importance of information security. While that new attention brought with it increased budgets and resources it has had a side effect we might not have anticipated. In their zeal to meet compliance requirements (and stay out of jail), our executives have adopted a compliance checklist mentality. "Just get through the audit" seems to be our executives' mantra.
The negative side effect of a checklist mentality is that we focus on getting boxes checked off rather than making sure we are doing the right thing. I use the analogy that there might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one. This is what I mean when I ask, "Can we be compliant but still insecure?"
So how do we overcome this challenge? What can we do as security and compliance executives to ensure that we are ensuring compliance and managing traditional information security risk at the same time? With our budgets likely to be shrinking as the economy slows, we better make sure we are doing the most with what we have.
Here are my suggestions. I like to call this the way to make a security and compliance smoothie.
Start with all the ingredients
Make sure that you know all of the things you want to include in your security and compliance requirements mixture. Remember that the ingredients are not just laws and regulations. Make sure you include your industry mandates, international standards, business partner agreements and your own internal policies. Without all of those you don't really have the complete picture.
Blend them Well
One of the problems I have seen in the past with trying to comply with all those things is that folks attempt to map each control in their environment to each requirement. This ends up looking like the cat's cradle thing we used to do with yarn on our fingers in elementary school. That's not the solution and it sure is not useable or scalable. The better solution is to remove the redundancy by combining like requirements and adding specificity where there is ambiguity. This should result in a new, smaller list of all the things you have to comply with.
Sign up for Computerworld eNewsletters.