The Truth About Regulatory Compliance

October 19, 2009 by ADMIN

Share |

By Steven Fox, Founder of SecureLexicon

This is the first part of my podcast interview with Edward Schwartz, CSO of NetWitness. In this installment, Mr. Schwartz comments on regulatory compliance as a driver for security spending.

Regulatory compliance was cited as a driver for security investments by 40% of the respondents summarized in the March 2009 OWASP Security Spending Benchmarks Project Report.

Given the business impact of regulations like PCI DSS, Sarbanes Oxley, and GLBA, this is understandable.

While savvy business leaders understand the limitations of these guidelines, there are among us less enlightened individuals who view these as a cure for organizational security issues.

Edward Schwartz, CSO of NetWitness, highlighted two issues that everyone must understand about security regulations.

“Regulations are just designed to create a baseline – minimal acceptable value, security standard, and lexicon for people to speak to when they talk to each other,” said Schwartz. Without these regulations, it would be difficult for different agencies to communicate about security issues. Indeed, these regulations were borne out of a need for a cross-organizational risk management framework.
Regulations are static in nature and very high level. The threats, however, are changing constantly. “Regulations are not designed to handle the kinds of threats, the kinds of vulnerabilities, and the kinds of problems that organizations are facing today,” said Schwartz. That compliance does not ensure security is echoed in an article by by Jefferson Wells’ John Rostern. “While PCI DSS does provide for safe harbor in the event of the breach (if the reports can be subsequently validated), this does nothing to actually improve security. The same may be said for compliance with other regulations such as the Gramm-Leach-Bliley Act,” said Rostern.

According to Mr. Schwartz, there is a dichotomy in how the relationship between regulatory compliance and security is perceived.

CIO magazine asked CIOs, “Has Sarbanes Oxley improved Information Security in your organization?” The majority of the respondents indicated that it had.

Computer Security Institute asked security officers the same question. The majority of these respondents indicated that it had not.

How can these stakeholders have such different views on the same question? “A lot of security programs” said Schwartz, “are driven by compliance as a mandate.”

Since the Board of Directors holds the CIO responsible for compliance initiatives, he/she will likely distribute budget accordingly.

“Security managers, however, are not focused on compliance for its own sake. They are focused on the protection of corporate assets,” said Schwartz.

Finding common ground between these sometime contradictory perspectives is one of the challenges faced by security professionals.

Part 2 of this podcast interview will feature Mr. Schwartz’s views on the use of network intelligence as a tool for marketing security investments.

Originally published at CIO

Steven Fox is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.