You might have noticed our new web site and its central flash animation. At the conclusion of each round of frames, we declare the following:
Compliance is just the beginning!
Know your enemy. Know your weaknesses. Have a plan.
Behind these seemingly simple statements lies a lot of thought. Firstly, we talk about compliance. By definition, compliance means that you comply with standards. These standards are set up as a bare minimum operating level for any given industry so that all the players meet some standard set of rules and can work together based on them. With cars, it's state inspection. With food preparation, it's health inspection. With any structure, it's building code. In every one of these, the bare minimum is almost always just that, and the gross majority strive to be better. If your car only barely passes inspection, it's likely not very safe or efficient. If your food was cooked in a kitchen that got the lowest allowable score on a health inspection, there's a good chance that you'll be sick in the near future. If your house only meets building code minimums, it likely won't hold up very well in a wind storm.
So, given that compliance is just the bare minimum, and that the bare minimum is not something you should be aiming for, why is it that so much effort is spent in the financial industry on being compliant? Almost all of the security breaches in recent memory and likely in to the future have been and will be at organizations compliant with security requirements. Compliance is a minimum, and the minimum is never good enough when you're dealing with other people's money. Striving for compliance is like trying to come in last place.
Real security should be approached just like all other parts of the business. You need to have a metric, you need to measure it, and you need to manage it. In security, the metric is risk, and it is measured against cost and the risk mitigated. That's the theory anyways. In reality, it's so much more than just cost vs reward. Something we try and make clear to our customers is that there is a balanced security level for every organization, system, and situation. It is reached when security reaches a level where it complements all other parts of the business and is maintainable.
In the end, your goal should be security, not compliance. Compliance is a byproduct of good security practices and good corporate stewardship.
Leave a comment