Security And (Or) Regulatory Compliance

Anyone who knows me knows that I don't believe achieving regulatory compliance is a technology problem. Sure, good tech will help you get there. But at it's core, compliance is a processes problem. And a pet peeve of mine has been how the mad dash toward regulatory compliance has, in many organizations, forced CISOs to take their eye off of security.

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Anyone who knows me knows that I don't believe achieving regulatory compliance is a technology problem. Sure, good tech will help you get there. But at it's core, compliance is a processes problem. And a pet peeve of mine has been how the mad dash toward regulatory compliance has, in many organizations, forced CISOs to take their eye off of security.David Mortman, who I last spoke with while he was CISO at Siebel Systems (prior to the Oracle acquisition) is a regular speaker on the infosec beat, and he knows something about grappling with compliance issues.

Mortman has an excellent take on the issue, which he has posted on (former Gartner analyst) Rich Mogul's security blog, Securosis.

He outlines the importance of what he labels the three elements to leveraging compliance for security. They are separation of duties, need to know, and change management. These are areas where compliance efforts can aid IT security.

While attaining those attributes is challenging enough, perhaps, in my opinion, the organizational communication aspects of security and compliance are the hardest part. Here's Mortman's take on the importance of communication.

"Technology may enable -- or inhibit -- change, but it does not drive change. Consistent communications must exist, however, between functional areas (e.g., information technology) and lines of business (e.g., product engineering or consumer loans). Such communication facilitates incremental adjustments in technology deployment that must be recorded in system configuration documents, process updates, and business continuity plans. The continuous realignment of IT and business practice is comparable to the quality movements in manufacturing processes."

Keeping incremental changes in technology deployments is hard enough, but can be (albeit not trivially) answered with change management databases and similar single sources of truth.

The long-term difficulty is maintaining an organizational attitude of teamwork, where people aren't defending turfs, but working toward the betterment of the entire company. Mortman's post on Leveraging Compliance For Security can be found here.

About the Author

George V. Hulme, Contributing Writer

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights