Security Think Tank: How businesses can achieve compliance and security

What can businesses do to make regulatory compliance a priority without losing focus on security basics?

In truth, I don't want anyone to "make compliance a priority", so I won't give advice on what businesses should do about that. 

In my view, compliance should not be a priority – information security should be a priority, one from which compliance will flow as long as some conditions are met.

To illustrate this point, ask yourself which is more important: complying with seatbelt law or actually surviving a car crash. The two don't always amount to the same thing.

Wearing a seatbelt and implementing regulatory compliance controls are both means to an end. In the field of information security, the "end" is always the protection of personal and business-critical data. You should view compliance mandates as motivators, not as ends or business priorities.

Compliance should not be a priority – information security should be a priority, one from which compliance will flow as long as some conditions are met

Anton Chuvakin, research analyst, Gartner

By focusing on information security, you can achieve both security and compliance. To make compliance flow from security, you must document your controls, preserve evidence of your monitoring and investigative activities, and maintain a clear understanding of the extent to which regulations apply to your business.

By contrast, if you focus on compliance, you risk falling short on both counts – as in the case of organisations that treat maintenance of regulatory compliance as a mere box-ticking exercise, get hacked, and then incur fines for not having maintained proper compliance between audits.

It is essential to maintain a good security posture at all times – unless you expect to convince the world's hackers to attack only once a year, just after you've passed your compliance audit and are formally in good security shape. 

Thus, your priority must be to plan, implement and, above all, maintain information security for as long as you run your business.

Anton Chuvakin is a research analyst at Gartner

This was last published in April 2012



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.