Security, compliance and the World Cup 2010

I couldn’t really say that the whole conversation around security and compliance ever calmed down much but I seem to hear people talking about it a lot recently. On the one side there are the security vendors who see it as an opportunity to justify budget requests for whatever solution they try to sell; and why wouldn’t they? Regulations were put in place to force organizations to implement a basic level of controls and if the vendors solution covers a certain control area (however farfetched it is) the case might be just that little bit more appealing to the CFO to close the sale. On the other hand there are the security professionals whose responsibility it is to secure the organization and minimize the overall risk as a whole, not just that piece of the infrastructure the auditor shines his torch on. These guys typically struggle to find funding to implement essential security controls which are not necessarily related to any compliance requirement but would considerably raise the overall security posture. Being the smart people they are security professionals realized that complaining about the situation does not help as much as trying to make the best out of it.

The first step obviously is to understand what external and internal compliance requirements apply to your organization. Not an easy task but once it is understood the relevant regulations, policies, guidelines, etc. can be layered on top of each other and control requirements can be mapped to see where you can realize consolidation benefits. Services like the Unified Compliance Framework should help with this.

For the sake of this little write up I’m picking some random control requirements as an example.


Once the control requirements have been identified they can be addressed. You can approach this by looking at the requirements and start to work on them one by one until all the boxes on the audit sheet are ticked; you’ll likely pass your audit but the cost/benefit ratio from an overall security posture point of view might be less than desirable – a bit like fire fighting with a watering can. In the end you might find yourself without any budget for other security projects left as you’ve used it up to fulfil your compliance requirements.  Not an ideal situation and I would assume rather annoying if you find yourself in this position. It might seem like security controls are randomly sprinkled on your infrastructure without much value add.

But you could also try to see compliance requirements as a chance to increase the security posture of your organization for real. This might not always be possible, it will be harder to accomplish, it requires some creativity and time but it will probably pay off and make your job more satisfying.  So, step back, look at what you can work with and connect the dots. If you find the correct links, group the right controls and align your assets cleverly you might be on your way to win the game 🙂

What I’m trying to say is that compliance requirements have the same goal as your security strategy – to keep your organization ahead in the game without risking any foul play, offside or penalties. The players nominated may not be your first choice and maybe you don’t like the condition of the playing field but you are the coach and can bring this home with the right game plan. Just like a real coach you would probably not put together a team of players who can do only one thing really well, but rather look for players who have their core talent but cover other areas in the game too. To snap out of the soccer analogy – if you look for solutions to cover your compliance requirements which are providing additional value that is beneficial to your overall security strategy your budget might go further and your CFO might like you better. (no promises)