Today, regulatory and legislative compliance obligations seem endless and ever-changing. Organizations are faced with enormous challenges in attempting to manage complex IT security programs, numerous compliance objectives, and deliver evidence on different schedules to multiple parties.
Most organizations are already painfully aware of these challenges. Before discussing a specific approach to compliance, it’s important to recognize some fundamental truths and basic strategies.
1. Compliance does not equal security. An organization can be 100% compliant with PCI, SOX, GLBA, or any other standard and still not have a secure environment. As over 100 years of U.S. legal proceedings demonstrate, simply having an established framework of controls to work within will never prevent creative individuals from inventing new forms of malicious behavior (comparable to an exploit) that has never been considered previously (comparable to a vulnerability). Much like how society often generates new laws and regulations to solve loopholes, software companies generate patches and updates to solve vulnerabilities.
2. Compliance is subjective. Regardless of in-house expertise, organizations must respect the authority of auditors, QSA, or vendors in interpreting regulations and in judging how successfully specific controls have been implemented. Yet, these individuals come from diverse backgrounds, have varied degrees of experience, and different levels of technical expertise—all of which influence how they interpret both the compliance requirements themselves and the level to which they have been achieved through technology or process. This is specifically why the art of compliance (as opposed to the science) is so dynamic and often frustrating for technologists: it is not black and white. It takes a combination of political savvy, negotiation, technical expertise, regulatory/legislative knowledge, flexibility, and effective communication, to define and agree upon common goals.
3. Security has not changed since the dawn of man. The art and science of protection, whether it be people, property, food and resources, technology, or data, boils down to some very simple and universal concepts. Whether compared with physical security standards or battle tested kinetic warfare defense concepts—the only real difference is that technology has only increased the speed and scale at which we are able to conduct operations to protect the things that matter.
Investments in general security technology and resources are critical first steps in achieving compliance. But what makes all the difference in consistency, quality—and success—however, is whether organizations apply a strategic focus on activities—like these—that actually matter.
Start with the end in mind. This is the most important component in achieving compliance success. Organizations need to work closely with auditors and customers to understand the precise scope of their compliance objectives and to define specific and realistic deliverables.
Nothing is perfect. It’s important not to become mired in semantic analyses of requirements. And equally important to prevent philosophical debates between security experts and auditors.