It isn’t a new problem. Businesses focusing on compliance instead of security is common. If management can demonstrate compliance with relevant regulations, they tend to experience that warm and fuzzy feeling that comes after a CYA (Cover Your “Buttocks”) experience. But security is more than making sure your auditors are happy. It’s more about juggling operational effectiveness, security as well as checking the boxes on a compliance checklist.
This topic has come up many times in the past, but compliance for the sake of compliance still seems to be a major theme in some quarters. Take, for example, the recent Forrester article IT Compliance: From Painful to Pleasant. In the article, Khalid Kark writes about the various methods of achieving compliance. His approach starts with identifying compliance requirements. The rest of the article tends to focus on taking general steps to address them. This is one approach, but it falls short of an overall security strategy.
I propose another method; identify potential risks in the environment and address those risks—balancing business productivity with security—only using regulatory requirements as a guide. From this perspective, all relevant risks are addressed by your security strategy and controls framework. You’re still compliant, but compliance is relegated to its rightful place in security.
Once you’ve put compliance in its place, it’s still important not to take regulations and standards as inflexible mandates. One of the things I like about the HIPAA, in addition to its comprehensive approach to security, is the assertion that its standards and guidelines are to be implemented in a way that is reasonable and appropriate for each organization. It transcends the biggest issue with security-by-compliance, which is a one-size-fits-all mentality. Take any regulation (GLBA, FACTA, etc.) or standard (e.g., PCI), and you’ll find plenty of advice on how to implement the “letter” of each instead of the “spirit.”
The spirit of a regulation or standard is defined in its intended outcomes. These outcomes typically drive to achieving reasonable and appropriate risk for the organization and its customers, employees, and investors. And since the meaning of “reasonable and appropriate” changes based on many factors, no one approach will achieve optimal results across all data caretakers.
So the digest version? Start with a comprehensive security strategy, based on best practices like COBIT or ISO 27002 (2005), integrating regulations and standards as necessary to an extent that makes sense to your business.
