Which comes first: compliance, security or operability?

The task of managing risk has changed dramatically, writes Raj Samani of ISSA UK...

The task of managing risk has changed dramatically, writes Raj Samani of ISSA UK. There was a time when compliance was unheard of (so to speak), security meant switching off the modems, and operability involved leaving a big lorry in the car park for a week to verify that back-ups worked.

This tranquil world is long gone. Projects and budgets are dictated by a need to comply, systems operability demands 24-hour uptime for fear of loss of significant revenue, and the number of risks affecting an organisation change on a daily basis.

Equally confusing is how compliance, security and operability are so interlinked that a potential change in one can dramatically affect another.

Take the PCI standards for companies processing credit cards. Complying with such standards should result in a greater security for an organisation. But such standards do not necessarily mean that an organisation cannot be more secure without compliance.

So why is compliance introduced? Largely because companies or individuals fail to do the right thing, so regulations or new laws are passed to force them to act correctly.

24/7 imperative

What remains constant is operability. Without an available system, surely the business will grind to halt?

But as we are all aware, there is nothing cut and dried about making business decisions, and what has prevailed is the need to balance security and operability. Although the introduction of more compliance requirements has taken some of the guesswork out of defining the line between the two, this line is not fixed. The exact balance will vary, not only from industry to industry, from company to company, and from department to department, but even on what phase a particular project may be in.

This blurry line can even change due to personal circumstances. Ask a security professional the number one systems priority for any given organisation and they will say "security". But ask them again when they are a patient at a hospital whose systems will assist their rehabilitation, and their perception of risk may well change and they will answer "operability".

Equally, if you asked the same question of Société Générale executives shortly after a rogue trader lost the business £3.7bn after circumventing internal controls, then "security (and a lot more of it)" might be their answer. But ask them just before the annual bonuses are to be decided and they might just go for operability.

The future for business is likely to change further, as will compliance requirements, and with the potential threat of custodial sentences for non-compliance, this area will take on more importance. Likewise, with the increasing reliance on the internet to provide revenue, operability will remain high on the agenda. The demand for security will therefore rise to such an extent that the demand for good security professionals will far outstrip supply.

Raj Samani is vice-president for communications at ISSA UK, and is speaking in the keynote programme at Infosecurity Europe

Risk management blog >>

Read more on IT governance