7 Dirty Secrets… a Rebuttal

Steve Ragan with the Tech Herald has posted a response to Josua Corman’s “7 Dirty Secrets of the Security Industry” presentation, and I got quoted!

<my submitted response>

Overall, Tim Greene’s brief of Joshua Corman’s presentation does a solid job of discussing the very real need for, “a healthy level of skepticism about what security vendors” communicate.

The fifth ‘dirty secret’ in his article states that, “compliance threatens security.”  While I personally didn’t see the presentation, Tim alludes to Joshua speaking on the ‘check-list’ mentality of organizations that exhaust resources and budget pursuing the ‘approval’ of some mythical auditor- and I see this as a rather narrow view.

“The problem is that regulations create a budget and resource conflict between what compliance demands and what network executives think really needs doing…”

Organizations that exhaust their budgets with the explicit intent of compliance are obviously preferable targets compared to those following a risk based security model- but to label compliance as threatening security is a bit of a reach.

All men may have been created equal, but data certainly was not.  Compliance requirements are created by groups interested in a specific dataset.  HIPAA was enacted by the U.S. House of Congress back in 1996 to ensure the protection and privacy of patient records.  Visa and MasterCard have led the Payment Card Industry in the charge for industry self regulation in an effort to protect consumer data and payment channels.

The prescriptive control set called for by each regulatory body serves as a baseline for what they require to protect *their* data set in discussion.  This is a starting point for corporate discussion.

If disinterested executives are focused on only sliding by- it is easy to consider regulatory compliance as a threat to security.  I submit that in the same breath these executives will likely not have sought *any* form of security had compliance not been in the picture.

Regulatory Compliance has served the security industry by forcing corporations to take a long look at how to find threats and systematically eliminate them, and how to ensure this isn’t a one time event.  Compliance has supported information security in the boardroom.

</my submitted response>


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: