When Compliance Replaces Security
One of the worst states of mind an executive can have is the notion that their company is secure, because they are compliant with “you name it” regulation. HIPAA runs healthcare. PCI runs payments. Remaining compliant with each allows you to do business, it does not prevent your business from becoming a target, or allowing a breach. Far from it. No organisation, small or large, has been made completely secure because they aligned their processes to a compliance requirement.
With regulation clamping down more and more on an annual basis, the stranglehold for funds within IT and security are largely working their way towards meeting the needs of compliance. There are even entire divisions of Information Security departments dedicated to meeting compliance. I get it, you cannot process payments without being certified to PCI. You can’t work in the healthcare industry unless you are HIPAA compliant. Not meeting either is destructive to an organisation.
That being said, the way that information security is implemented in a lot of organisations is equivalent to wrapping electrical tape around the wings of an old air plane and telling the pilot “you’re good to go.” Compliance should NEVER be the driver behind processes built out within information technology and information security. Compliance should be an outcome of fundamentally sound information security structures built to support the business strategies, not the driving force behind InfoSec projects.
For too long organisations have been putting the buggy before the horse, and ultimately it creates more holes in processes to fix down the road. A lot of companies put in the minimum necessary work and processes to meet the requirements of “you name it” regulation, and it ends up costing them dearly when threats materialise in their environment.
Regulation isn’t going away any time soon. If anything, it is only going to restrict and tighten over the next few years. This makes it even more crucial for organisations not to rely on the newest version of regulation to come out to mature their information security processes. It is crucial that companies invest in information security people, processes and technology that support where their business is going (proactive), not what is going to be required next year (reactive).
Organisations should be looking at what future trends are on the horizon, and where their organisation wants to go in order to meet information security objectives. If an organisation builds out a robust information security framework, along with processes that support the business goals of the future, compliance will never be a month(s) long block of preparation work on a project manager’s calendar. It will fall out naturally, as it should.