This article, The Compliance Cop-Out,caught my eye recently. Bob Bragdon, publisher of CSO Magazine, believes that CSO’s are copping out by using regulatory compliance as the justification for security spending. Numerous recent surveys support this. And with virtually every security vendor attaching the “C” word to their products, I have to agree with him. Both the supply side and the buy side of the security industry seem in agreement here, that positioning security technologies as “silver bulle
ts” for complianceis a good thing.
But is this really good for the enterprise’s security posture? As Bob points out, doing a comprehensive assessment of risk, and mitigating risk based upon the results of that assessment is a better approach- one that is more likely to lead to the most serious risks being addressed in the right order, to achieve the best effect in terms of protection and reduced risk. Done right, risk management and compliance can co-exist quite well, with controls mapped to multiple regulations, and with the outputs of the risk management process identifying where the organization is in compliance, and where there are gaps.
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University. Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
