Pt. 1 of an Interview with Edward Schwartz - The Truth about Regulatory Compliance
by Steven Fox, Security Paradigms
Tue, 2009-10-13 00:45
Topic(s): | | | |

 

This is the first part of my podcast interview with Edward Schwartz, CSO of NetWitness.  In this installment, Mr. Schwartz comments on regulatory compliance as a driver for security spending.

Regulatory compliance was cited as a driver for security investments by 40% of the respondents summarized in the March 2009 OWASP Security Spending Benchmarks Project Report.  Given the business impact of regulations like PCI DSS, Sarbanes Oxley, and GLBA, this is understandable.  While savvy business leaders understand the limitations of these guidelines, there are among us less enlightened individuals who view these as a cure for organizational security issues.

Edward Schwartz, CSO of NetWitness, highlighted two issues that everyone must understand about security regulations.

  1. “Regulations are just designed to create a baseline – minimal acceptable value, security standard, and lexicon for people to speak to when they talk to each other,” said Schwartz.  Without these regulations, it would be difficult for different agencies to communicate about security issues.  Indeed, these regulations were borne out of a need for a cross-organizational risk management framework.
  2. Regulations are static in nature and very high level.  The threats, however, are changing constantly.  “Regulations are not designed to handle the kinds of threats, the kinds of vulnerabilities, and the kinds of problems that organizations are facing today,” said Schwartz.  That compliance does not ensure security is echoed in an article by by Jefferson Wells' John Rostern.  "While PCI DSS does provide for safe harbor in the event of the breach (if the reports can be subsequently validated), this does nothing to actually improve security. The same may be said for compliance with other regulations such as the Gramm-Leach-Bliley Act," said Rostern.

According to Mr. Schwartz, there is a dichotomy in how the relationship between regulatory compliance and security is perceived.  CIO magazine asked CIOs “has Sarbanes Oxley improved Information Security in your organization?”  The majority of the respondents indicated that it had.  Computer Security Institute asked security officers the same question.  The majority of these respondents indicated that it had not.  How can these stakeholders have such different views on the same question?

“A lot of security programs” said Schwartz, “are driven by compliance as a mandate.”  Since the Board of Directors holds the CIO responsible for compliance initiatives, he/she will likely distribute budget accordingly.  “Security managers, however, are not focused on compliance for its own sake.  They are focused on the protection of corporate assets,” said Schwartz.  Finding common ground between these sometime contradictory perspectives is one of the challenges faced by security professionals.

Part 2 of this podcast interview will feature Mr. Schwartz's views on the use of network intelligence as a tool for marketing security investments.


 

» read more from Steven Fox | post a comment
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast