By Mark Fisher, MSIA instructor
I recently attended a conference where speaker after speaker talked about information security and compliance. In the exhibit hall there were rows upon rows of vendors trying to sell products and services to help companies become compliant with Sarbanes-Oxley, Gramm-Leach-Bliley, or the Payment Card Industries Data Security Standard (PCI-DSS). Everywhere I turned it was compliance, compliance, and more compliance.
I am not criticizing those companies. It is important for organizations to comply with the applicable laws and regulations and it is very legitimate for vendors to advertise how their products and services can help reach those goals. As a security consultant to community banks I know first-hand how focused on compliance my clients can be and I have used the need for compliance to sell my own services to them upon occasion.
One thing that concerns me is that we, as a profession, may be focusing too much on compliance to justify spending money and time on information security products. I fear that by focusing on compliance in the near-term we are weakening our position in the long. We want the organizations we serve to have a good program to effectively manage the IT-related risks that they face. Unfortunately, that can be a hard sell sometimes and our organizations often balk at doing what we think they need to do. To get them moving in the right direction we break out the big stick - compliance. We tell them that they need to be compliant with X or bad things will happen to the organization. Faced with that immediate, tangible requirement the organization opens up its wallet and starts doing the things we want them to do. Score one for the good guys!
The long-term risk is that someday the organization will meet the minimum compliance requirements. Meeting the compliance requirements doesn’t sound like a bad thing, but as IA professionals we understand that being compliant does not mean that the organization has an effective IT risk management program any more than having a driver's license means that you are a good driver. The risk is that we will say "Congratulations on becoming compliant with X, now you need to do Y and Z" and the organization will say "Hold on! For years you have been using compliance to justify every IT Security expenditure. Now you are telling us we need to do more? Why should I believe you?" At that point we have lost credibility and will have a much harder time getting people to do what we know they should do.
Every one of us has to sell the idea of security to people every day. We need to justify to our organizations why they need to spend hard-earned money on our projects rather than put it in their pockets or spend it on other activities. As professionals, we owe it to those that we serve to have honest discussions about what we really want them to do and why. In the short-term explaining risk management may be harder than just using the threat of non-compliance, but in the long-term organizations that understand and embrace the need for strong IT risk management will be in a much stronger position than those who chase after compliance alone.
Last Week’s Quiz Question
In 1992, Vermont’s capital city of Montpelier was inundated by flood waters in mid-winter. What caused the flood, and what is the name of the river?
Answer: The Winooski River flooded due to an ice jam.
Srinivas receives the very first information security textbook, published in 1964, entitled: “Protecting your data center from intrusion and malicious attack: Understanding the tensile strength of steel and concrete.” Congratulations Srinivas.
This Week’s Quiz Question
When were women first admitted to the Norwich University Corps of Cadets?
The winner receives a Personal H1Ni Protection Kit, including full-body rubber suit with 6 hour oxygen supply, airborn/food pathogen eradicating radiation kit, and webcam to communicate with family from a distance.
Send your entries to jorlando@norwich.edu
No comments:
Post a Comment