July 30, 2014

Security Compliance 101: Why Compliance Doesn't
Equal Security

In today's Whiteboard Wednesday, Trey Ford, Global Security Strategist at Rapid7 will discuss compliance and how it should fit into your security program today.

Often times, IT and security teams solely focus on compliance and label that as their organization’s security program. The problem with this is that compliance isn’t focused on your organization’s security, instead it is focused on your customer’s data. Trey will discuss why it is important to layer compliance into a security program focused on your organization.

Read Video Transcript

Hi, I'm Trey Ford, Global Security Strategist with Rapid7. This week's Whiteboard Wednesday, we're going to talk about compliance. It's a hot-button issue. Security doesn't equal compliance and that makes us angry. We have a hard time discussing this without getting really emotional. I think early on, the business didn't really care about security. Some might say they still don't. We used to try to articulate to the business why what we did mattered, why we needed budget for different tools, different processes, and different equipment. And, you know, it fell on deaf ears.

We talked about cross-site-scripting. We talked about CVSS scores. Very technical discussions the business didn't care about. As compliance came along, it turned into a crutch. We started discussing how these things needed to be prioritized because this regulation said so. And budgets got approved, that's a good thing. I'll say it again: compliance doesn't equal security. Why? Every regulation has a specific data set or purpose they serve.

When we talk about HIPAA, they're very focused on PHI, Protected Healthcare Information, medical records. That's very worthwhile, it's important. We talk about PCI, the Payment Card Industry? They talk about protecting credit card data. We don't own that information either. Our business isn't their priority. They're focused on protecting data. As information security professionals, we're charged with protecting the business and guiding the custodianship, the protection of information we don't own.

I think that we need to take a step back and remind ourselves that compliance bodies, regulatory bodies, these are absolute bare minimums, they're baselines. We don't set those priorities; our job is to take those, protect the information, and keep the business running. Don't let them set their priorities for you. Think of compliance as the starting point not the goal. My name is Trey Ford with Rapid7. We'll talk to you next week.

Register For Our Summer Series

Party Crashers: How to Detect and Investigate Unwanted Guests

Learn More