Increased government regulations and industry requirements are forcing organizations to comply with standards that in the long run are actually very useful. Many of the required controls can seriously help improve your security posture – especially if your company is new to compliance.
The compliance trap that many companies fall into is that they focus on passing an audit instead of ensuring a sound network security posture. Being compliant is one thing, but being secure is a completely different level.
As we’ve seen in the news recently there have been multiple companies that were compliant (and possibly complacent), yet not secure. Achieving compliance should not be the end-all-be-all of your security program; it should be viewed as a minimum baseline.
Point-in-time vs. Continuous Compliance
Regulations and standards are needed to help keep information technology and security teams (and the business) honest. If you’re just looking to pass an audit you’re failing as a security professional. While the entire business fails in a way, it’s your responsibility to educate management and fight for better security, not just meeting compliance requirements. The purpose of an audit is to determine if you’re adhering to the standards of said regulation(s), but you can be compliant at the time of an audit and fall out of compliance post-audit. Being compliant doesn’t mean that you’re compliant only when the auditors are in the building – it must be continuous.
This is something that drives security professionals crazy, because inevitably there’s always a mad dash to “verify” and “prove” that you’ve been following the defined controls during the year when the auditors show up. The check box mentality is dangerous because it lulls engineers and especially management into a false sense of security. What much of upper management and even engineers see is process and technology being put into place to assist with security. So the prevailing thought is that we must be secure, but in reality these are security basics, not a proverbial impenetrable fortress. Security managers must not let people fall asleep behind the wheel and continue to build on top of the foundation that the regulation/requirement has just laid.
Using Compliance to Build Upon Your Security Program
Here are some key considerations for you to use “compliance” as a method for building up the security of your organization.
So compliance can be a double-edged sword – it can give you a false sense of security or it can be used as the impetus behind building your security program and building confidence from the business in your information security department. It’s your choice, choose wisely.
Receive notifications of new posts by email.