Thu, 09 Oct 2008 12:51:30 GMT

Someone on LinkedIn asked: "Is Information Security driven by compliance?" to which I say "yes and this is a problem"!

My long answer goes like this:

Getting your security sorted for the sake of compliance is wrong. It does not make any business sense. Well, not from the way I look at it. At the end of the day it does not matter whether you comply with whichever 3-4 letter acronym. What matters the most is how secure you are and from my experience compliances only create a false sense of security. The bottom line is - if you want to keep your customers and business partners in the dark then get hold of as many acronyms as possible. However, it will cost a lot of money and even more when an incident occurs. If you really care about security, then use the money to hire the best of the best to show how it is done in the real world.

This is certainly not the best answer. Follow the discussion over here. You are not going to learn anything technical but at least you will get a good idea how the majority of security professionals on LinkedIn think.

Amen! The one thing I disagree is that you stated " will get a good idea how the majority of security professionals on LinkedIn think". You are highly generous in your credit here PDP... These, in your book and mine, are not "security professionals". They're the guys who only think of the three and four letter acronyms, but generally couldn't provide a lucid solution if their career depended on it. I think a lot of the security bloggers that are bathing in the limelight tend to drift towards this side as well... It's those who actually present technical solutions / findings that gain my respect. The "analysts" are generally, to me, a waste of time / humorous reading. They make a pretty Keynote preso and travel the country regurgitating something they really don't understand... If only I could be that self-unaware! --windexh8er
While I'm not disagreeing that compliance doesn't do enough to address all security concerns in an organization, I've found that I've been able to leverage compliance (or lack there of) in order to get more (fill in the blank) for my team. Unfortunately, in an organization the size of the one I work in, and in these economic times, it's nice to have the "compliance" crutch to lean on when cost is an issue. So if compliance is nothing more then a way for security departments to get what they need, how do we go about making the 3 letter guidelines more relevant from a pure security standpoint?
Wade, generally speaking compliance is a waste of money. Not that long ago I had the chance to experience an audit performed by one of the big 4s. Basically their work was down to going over a checklist. On the top of that the employees from the company that was audited had to spend time in writing useless and very irrelevant policies nobody really follows. It was the biggest waste of money and resources I have ever seen. But compliance is a compliance. It gives you undeserved sense of credibility and authority. I do not understand why money is an issue when someone is willing to throw ridiculous amount of them on compliances, which does not work, which give you nothing more but a 3 letter word you can put next to your name, which have no value whatsoever since majority of your customers probably do not know what the compliance is really all because serious people do not have the time and interest to go ahead and read it. Security solutions should be delivered by people with experience not CLAS consultants who have got their qualifications after 3 weeks of trainings. No offense! Personally, I do not care if compliance is the preferred way for companies doing business today. If it works for you and especially for your PR (only if), then why not do it. But I still think that compliance is nothing more but a business tool which puts ROI next to security so someone can sleep better at night. However, soon or latter, shit hits the fan. You cannot escape it. Then how compliance helps you in anyway? It doesn't help! So why take it then? You take it not because of your security! It is certainly not because of your PR because I hardly doubt that the huge majority of customers know what your ISO accreditations are for. Compliances, accreditations and certifications are only ways for aware companies ripping huge fees off your back just to tell you that you are doing well, when in fact, you are not doing well at all! It is a complete waste of time and resources. :) Instead of putting meaningless ISOs next to your name, put the company that did the security work for you. Say: Our company's security was proudly assessed by X. Hey, you are not only going to give some good PR to your security team but you will also make them work harder and provide even better value for your money. People understand people. They do not understand 3 letter words.
pdp, I think a little explaining of my situation is in order. I work on a security team assurance team for a fairly large company who's revenue trends basically match those of the overall US economy. As such, times have been tight over the past year and more then once we've waved the PCI flag around to justify dollars, staff, software, training, etc. As a perfect example, I just leveraged PCI in a justification to allow 1 hire to replace the 4 that have left over the past year. This PCI flag works wonders when you're trying to get money out of execs that only understand the bottom line...and when you tell them their bottom line is going to be impacted to the tune of $25k per month per violation, the wallet opens up real quick. I'm certainly not saying that the PCI standards or auditors doing anything to actually provide REAL security (vs. a false sense of security), I'm simply saying that it's given financially crippled security departments a reason to request additional support and funds. It still takes actual security professionals who know how to evaluate technology and implementations and can realistically determine what the risk, impact, and probability of an attack would be and then propose various ways of mitigating the issues. You had a great comment/question in your response: "I do not understand why money is an issue when someone is willing to throw ridiculous amount of them on compliances". Why? well, because they HAVE to. Now granted, more companies are getting it, they have good security teams in place, provide a good deal of resources and pay for when it comes time for the auditors to do their thing, they don't find issues. Unfortunately, there are still lots of companies that don't get it. I guess what I'm trying to say is that I agree that 3 letter compliances don't do anything to help a business that doesn't believe in investing in security...but it does give existing security teams a financial impact bullet to fire at executives who are trying to say that our efforts and needs are meaningless. I'm not sure I'm grasping what you're trying to say in the last 2 paragraphs or your response...are you saying that here at "Wade W Inc" we proudly have our security assessed by GNUCITIZEN...that I would have no problem posting...however (going back to the big 4 from your opening paragraph) "Wade W Inc" we proudly have our security assessed by Symantec Professional Services makes me want to vomit then start hacking away.
Geoff (Ghost) ChimGeoff (Ghost) Chim
Sorry PDP, I have to disagree with you this time. There are many security techniques and control in order to test, verify, certify, protect an organization. Each of these disciplines (Layers) has it own purposes. Security Compliance is to ensure that an Organization is compliance to a certain standard, policy or requirement. This will give confidence to customers and business partners. Yes, I agree with you that some of the Big 4 auditor are not technical in nature. This is because they are more trained in the Security Management and documentation side of Security (What I call Soft technique). An Organization can only be able to protect themselves properly is have all security controls checked. Such as checking if they are compliance to ISO27001, SOX, HIPAA, PCI, and so on. Penetration Testing (Hard techniques) will not verify whether an Organization's security framework. Can withstand Disaster Recovery, BCP, System Fall Back control. Incident response, Computer forensic, Operation security, Physical Security, Employment Dismissal and other procedure, policy, guidelines, standards in place.
compliance is for the n00bs! hackers for teh win!