Meshing Compliance with Security

The realities of today’s heavily regulated IT environment have forced a priority shift with IT security. Initiatives that once could never find a patron are now being funded, as organizations scurry to comply with regulatory demands. This has been a positive step for a lot of IT security practices, but there are some definite downsides.

The sad news is that some organizations have begun to equate compliance with security, assuming that the act of complying with standards such as the Payment Card Industry (PCI) Data Security Standard (DSS), and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX) or the Gramm-Leach-Bliley Act (GLB) automatically ensures sufficient security of IT infrastructure and data stores. But, as most grizzled security veterans will tell you, this is far from the truth.

“It’s not a golden pass or a silver bullet; it just means you meet their regulations, not that you’re secure,” says Alan Shimel, chief strategy officer of the security firm StillSecure. “So (it) is a fine start, but it’s not the be all and end all.”

Shimel and others say that it is critical for organizations to understand that compliance does not equal security. Some IT security practitioners in the trenches have tried to fight overreliance on the security views of regulators by taking a step back and thinking about how to build a comprehensive security program that is driven by risk management best practices rather than regulations alone. Their theory is that by handling security first, compliance will take care of itself.

“If you focus on compliance, you can easily miss security concerns,” says Vern Cole, chief security officer for Varolii, an on-demand interactive communication solutions company. “That’s one of the reasons why Varolii has chosen to focus on a best practice standard like the ISO standard, so that by complying with that standard, by meeting those requirements and focusing on that standard body, we’re going to hit any compliance requirement that comes up from a regulatory body.”

Varolii is currently in the process of certifying its IT practices against the International Organization for Standardization’s ISO 27001 standard. The process is arduous and demanding, Cole says, adding,

“We are still getting compliant with the standards body. There’s a lot going on, and if you were to talk to some of our engineering and operations people, they would probably tell you all they’re doing right now is making adjustments to our existing infrastructure and working very hard and very rapidly to get some things in place.”

Cole says much of the effort has centered on redeveloping the underlying IT infrastructure to enable easy and efficient security monitoring in the future. “We’re modifying our architecture to allow better insight into where we store our information, how it’s being accessed and [how we can] consolidate this type of information into a centralized place where it is easier for us to monitor and access the information.”