Security and compliance – a phrase often uttered in the same breath as if they are two sides of the same coin, two members of the same team or two great tastes that go great together.

As much as I would like to see auditors, developers, and security analysts living in harmony like a delicious Reese’s cup, a recent gap analysis that I was part of reminded me that too often the peanut butter and chocolate sit alone on their own separate shelves.

We reviewed a SaaS service with an eye toward compliance. The developers operate according to DevOps principles which often bump into some of the more prescriptive requirements in control frameworks like the PCI DSS. While assessing the architecture, software development lifecycle, access and the myriad processes in place, the auditor determined that the security was designed and implement, yet some areas were not in compliance. We had the peanut butter but were missing the chocolate.

The converse is also common. One can meet the letter of compliance yet miss the security goodness the criteria are intending to deliver. We’re all familiar with “checking the box” to get through an audit, meeting the letter of compliance and missing the spirit. How can security and compliance teams work together to create a winning alliance, protecting data, developing according to modern practices, and still pass an audit?

Same Goal, Different Actions

When it comes to the goals of both security and compliance, it boils down to one word: risk.

Managing risk is the reason both groups exist. That shared goal should inspire a combined effort to achieve it. Both groups design, establish and enforce controls to protect an organization. With so much in common, it seems like these two should be natural allies, and often they are. So why does (Read more...)