Regulatory compliance should not be the primary driver of corporate information security efforts, according to IT managers speaking at the recent Computer Security Institute conference in Washington.
Over time, such a strategy could weaken a company’s defences, the IT executives said. Instead, they recommended that businesses make compliance a by-product of a much broader security strategy.
When companies try to manage risks by using a checklist of compliance items, there is “a very real danger” of overlooking other critical security issues, says Jack Jones, chief information security officer at Nationwide Mutual Insurance in Columbus, Ohio.
“Checklists cast the world in black-and-white terms,” Jones says. They’re valuable tools, he adds. But checklists alone “don’t allow organisations to take a good, rational and logical view of all the circumstances” that affect security risks, he says.
The warnings come amid increasing regulatory requirements and a rash of high-profile data breaches that have brought information security issues into corporate boardrooms for debate.
A global survey of IT security managers, released earlier this month by Ernst & Young International, found that compliance issues have for the first time replaced worms and viruses as the biggest driver of information-security efforts.
Conceptually, regulations can provide a set of guidelines that, in theory, organisations could use to establish good security practices, Jones says. “It’s very hard to argue with concepts like ‘least privilege’ and ‘need to know’ and ‘defence in depth.’ That’s in keeping with everybody’s strategy for managing risk,” he says.
Companies, however, have problems when the sole corporate security strategy is to ensure compliance with regulatory requirements, says Fred Trickey, information security administrator at Yeshiva University in New York.
“In one sense, [ensuring regulatory compliance] is of value to the information security community because it does give external validation of the things you’ve been working on,” Trickey says. But focusing an overall security strategy on compliance with a specific regulation can create a false sense of security, he adds.
“It’s important that you don’t lose sight of evolving threats, risks and attack models,” Trickey says. “If you’re entirely focused on regulations, you’ll lose sight of that.”Establishing a successful security strategy can depend on whether compliance is the centrepiece of the effort or just a piece of the puzzle, says Gerhard Eschelbeck, chief technology officer at Californian-based Qualys.
“It all depends on where you set the bar,” Eschelbeck says.
Ben Rothke, a senior security consultant at ThruPoint, a management services company in New York, says good security systems should support regulatory requirements in general.
“The problem with compliance is that people tend to take a myopic view of what needs to be done whenever new regulations come out,” Rothke says. “The point needs to be made that those organisations with a solid security framework in place could easily handle any regulations thrown at them.”
The need to comply with regulations such as the [United States] Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act have certainly heightened the discussion around customer privacy and security, according to Greg Framke, CIO at ETrade Financial in New York.
In another interview separate from the CSI conference, Framke said, “These are things we have been talking about and doing things about for a while.”
Framke says if a company’s security policy is robust, compliance is not an issue.