A Post-Compliant World? – Part 2

Introduction

Do we still have infosec compliance? Is the concept of upholding data and computer security outmoded?

I showed in my previous piece how early attempts at compliance were based on pre-computer principles of locks and keys, until organizations realized that model no longer fit. The new technology evolved so quickly that it became futile to look back to traditional ways for security solutions.

Being in infosec compliance is frustrating. We want to protect, not restrict. If you’re a compliance manager, you’ll be familiar with the positive arguments we put forward about how compliance enables business, how it inoculates against legal pitfalls and how it can enhance an organization’s reputation (so important for market competition). In spite of all this, security really is an inhibitor. In this era of technological breakthrough and pressure to innovate, compliance can seem like a ball and chain to technologists. To them, our pitches must sound like claiming seatbelts enhance driving.

What, then, is the modern argument for infosec compliance? From a compliance manager’s viewpoint, batting for it can seem to be a series of long innings, with computer innovation having an impressive variety of pitches.

On the other hand, most technology innovators will not openly oppose security any more than car manufacturers oppose better car safety. Through news headlines and personal experience, they too must be aware of the cost of security breaches, and how commonplace errors can lead to any size of business and any individual getting hurt. Quite reasonably, they will still want to see security controls eased (they won’t say “weakened”). They do want quicker uptake of innovation, especially where it gives advantages (however fleeting) through new ways of working and, of course, to profit margins.

The arguments for security are also frequently undermined by the natural drive for ease of (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by John G. Laskey. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/pA4QNrFSu1o/