Last week's sessions at Infosecurity Europe reminded me of the difference between compliance and real security. They are quite distinct objectives.They are in fact two of the three faces of information security.
Compliance is where most of the current action lies. It dominates the work of the internal security function and justifies the budget for security. Compliance spending is incontestable and repeatable. It sails through Investment appraisal processes even when capital spending is pulled. Unfortunately, it's all based on collections of ancient practices, with a heavy emphasis on documentation and audits. And if you don't want to pay for security, you simply accept the risk. Your security might be completely ineffective but your paperwork will gain you full marks.
Business enablement is the side of security that we present to management. The board and the business loves you when you tell them that security will enhance your reputation, gain sales, underpin new product and enable new ways of working. It sounds great but it's no more than wishful thinking. Such a business case would never get past an investment appraisal board, nor would it be a sustainable source of future budget. But it makes you popular with directors and business managers. "This guy talks our language!"
Real security is the side of security that nobody wants to face. It's expensive, difficult and disruptive. It's about managing today's risks, not fixing last year's outstanding audit actions. It's about cancelling dangerous projects, scrapping insecure systems and eliminating bad practices. It's concerned with tackling advanced persistent threats and insecure SCADA systems that no one wishes to acknowledge. It means taking critical intellectual assets off the network, and telling your project managers to go back to the drawing board. It makes you unpopular, and potentially unemployable.
And this is why most organizations are sleepwalking into a future crisis.