Considering what businesses can do to make regulatory compliance a priority without losing focus on security basics, the short answer is to make regulatory compliance focus on security basics.
This is not as weird as it sounds. Most regulatory compliance is based on security basics. Take PCI-DSS for example (I agree it’s not regulatory compliance, but it serves as a good example). Most of the requirements of PCI-DSS reflect sound security basics with special emphasis placed on protecting the confidentiality of sensitive data (credit card information in this instance).
When I was at RBS I was involved in a Financial Services Authority (FSA) review of the organisation's security, with a view to making sure it was sound.
We took the bull by the horns and told the FSA what we expected in any regulatory requirements for security in financial services. Not surprisingly, this was based on what we were already doing, which, in our opinion, provided very sound security for the organisation.
More often than not, a security-aware organisation that pays attention to the basics will find it is compliant as a result
John Colley, (ISC)2
Too often compliance becomes a goal in itself rather than a means to show good and sound security. It is always worth remembering the adage “just because you’re compliant doesn’t mean you’re secure”. More often than not, a security-aware organisation that pays attention to the basics will find it is compliant as a result.
Ensuring the basics, of course, means a programme that is policy-driven with the mechanisms in place to ensure policy is relevant, understood and adhered to at every level of the organisation. In today’s user-enabled environments, emphasis on the latter part of this equation is more important than ever. Everyone is accountable at some level for protecting the security of their devices, and everyone needs to be motivated to do so.
Security Think Tank: How businesses can achieve compliance and security
So, try to turn the problem upside down and show that having sound security basics in place should mean that you meet compliance requirements. If you don’t, there is either something wrong with the compliance regime or there is something wrong with your security. Either way, this is something that needs identifying and addressing.
John Colley is managing director for Europe, Middle East and Africa at (ISC)2
This was first published in April 2012