Meshing Compliance with Security - Compliance and Security: For the Future

All of the work is worth it, Cole claims, because it builds a bedrock of fundamental security practices and not only ensures compliance with today’s standards but also makes it easier to comply with new standards whenever they’re rolled out.

“When you look at things like HIPAA, PCI and GLB, all those are regulatory requirements based on an international standard. Typically, they may not call out the ISO standard specifically, but when you boil it down, they’re applying a security requirement to a particular data set,” Cole says. “So by following an internationally recognized standard such as the ISO 27000 series, we’re going to meet the regulations, as long as we apply our controls appropriately.”

Cole and Varolii are hardly alone in this progressive mind-set. Bruce Wignall, chief information security officer [CISO] of the mega-call center firm Teleperformance, says that ISO standards are at the “heart and center” of his organization’s security practice. With the groundwork laid by these broad standards, Wignall can more easily overlay other more specific standards or regulatory compliance practices.

“We bolt in ITIL [IT Infrastructure Library] on top of ISO [or] we bolt in PCI on top of ISO, and that starts to [erect] the building blocks of our security practice and just makes it easier to bite off one piece at a time,” Wignall says. He adds that standards-based security is less about throwing regulatory compliance concerns out the window and more about approaching the spirit of the entire arc of security regulations, which were, after all, developed to protect the data.

“I think it is important; I think it’s a responsibility all of us have. I don’t think you should take the least intrusive route (or) look at it as something you don’t want to do,” Wignall says. “We’re not taking a minimal approach; we’re taking an aggressive approach because it’s actually maturing everything we’re doing.”

This is likely to hit both security and compliance much more effectively than just trying to adhere to the letter of the law. For example, certain regulations require encryption of specific data sets. Rather than encrypting only the specifically mandated data, Wignall has chosen to encrypt everything. This “dumbs it down” for his organization, he says, and makes it easier to comply with future regulations.

“When a new security certification [is] invented, it [won’t be] that big a deal. I know I can comply because I’m doing all of the things I should be doing,” he says.

Taking this best practices first approach also makes it easier to navigate the security vendor landscape, security experts say.

Unfortunately, the myth of security as compliance has partially been perpetuated by security vendors who see compliance mandates as an opportunity to prey upon organizations that wouldn’t necessarily spend money on their products but are looking for an easy fix for all of their security and compliance problems.

“When somebody comes riding in on a white horse and says, ‘Hey, I’m going to make this easy for you, just write me a check,’ you really want to believe that,” says Mike Rothman, president and principal analyst of Security Incite. “There’s nothing easy about [compliance]; there’s nothing easy about security. So when a vendor comes out and says we’ll make compliance [easy] or we’ll make security easy, that’s borderline offensive because it’s not true, but the customer wants to hear that.”

Observers such as Ken Tyminski, former vice president and CISO at Prudential Insurance Company of America, say that when users adhere to security best practices, compliance efforts will be driven by people, policies and processes, not by technology. The added benefit is that this focus makes it easier to avoid getting sucked into vendors’ empty promises.

“I used to get all sorts of vendors who would come in and say, ‘I can solve this regulatory challenge.’ It didn’t matter if it was GLB or PCI or SOX, it seems whatever was hot at the time, they were experts in that particular regulation,” Tyminski says. “I see many people make this mistake [where they say], ‘We bought this widget so therefore we’re PCI compliant or we’re SOX compliant.’ ” It is a much bigger issue than that when you look at it. So my recommendation is [to] understand what you are doing [and] understand what you are trying to protect. Then it will be obvious what the best technology is, given your situation.”