Ask the Expert

Information security program development: Security vs. compliance

I've recently become a security manager at a company that has a history of being "compliant for the audit," meaning, before an audit there's a big push to make sure everything's up to snuff, and the company passes; afterwards, security becomes lax once again. What would you say are best practices for creating a security culture where information security is the goal rather than audit compliance?

    Requires Free Membership to View

First of all, congratulations on becoming a security manager! Well done! It can be a terrific, challenging job, though sometimes filled with frustration and moments when you wonder if you can ever be successful. However, I do compliment you for at least being aware of the culture you are working in; hopefully, it is an exaggeration and not the truth.

So, your challenge is not only to do your job as the security manager, but also to commence information security program development and foster a culture of security. Here are some thoughts on how you might want to proceed:

  1. Meet with the CIO, internal audit manager, CFO and even the CEO to better understand their concerns and interests in the area of compliance and audits. Try to ascertain if they are truly only focused on passing during the audit or if there are other barriers or reasons behind this perception. Perhaps they may see the compliance work as being too expensive. Therefore, you may be able to make a case for being continuously compliant to keep costs level and perhaps even lower, especially if fines are involved.

  2. Establish a schedule of internal audits. Work with the internal audit department and select particular areas of compliance on which to perform monthly reviews. For example, if the company must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), then you can take one area a month (i.e., one month per each of the twelve sections of PCI DSS) and perform a spot check or informal audit. Then, with the findings determined, work with the responsible department to help them make calm, focused corrections to their program and processes that have long-term impact rather than being a "pre-audit spike."

  3. Pay attention to your competition and other organizations in your industry. Observe the compliance problems they have and use what they've learned to help your company be prepared and compliant. Also, be sure to pass along the lessons you learn from these other companies to your executive management, so they can begin to better appreciate a security philosophy that can keep your company from becoming an object lesson.

Again, my congrats to you on this new opportunity, and remember to focus on your main job, which is protecting the data, and then on doing your best to keep compliance at the forefront.

This was first published in March 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: