Feature

Prioritizing compliance and information security

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."

Download it now to read this article plus other related content.

Few would dispute that regulatory mandates have forever changed the role of IT security. The risk of financial sanctions, public embarrassment and potential jail time for executives has raised security awareness from the back office to the board room.

"Roll the clock back a few years and look at the challenges security professionals had then," says Eric Litt, chief information security officer at General Motors. "They were trapped in the middle layer of management. They certainly didn't have the support or understanding of upper management. And if they were trying to make the right IT security moves, they were pushing snowballs uphill."

But it's debatable whether this increased attention toward regulatory compliance has had its desired impact and actually improved the overall IT security of regulated organizations. Many security managers, in fact, argue that compliance has to varying degrees weakened their priority--that the target sights have shifted from reaching a state of overall security to attaining adequate levels of compliance, and satisfying auditors' checklists.

"A lot of security initiatives in many companies got shelved. Everyone has a limited budget, so some security projects got pushed lower on the agenda," says Lloyd Hession, chief security officer at New York-based financial network services provider BT Radianz. He contends that technologies such as intrusion-prevention initiatives, enterprise digital rights management, and even network

    Requires Free Membership to View

admission control were postponed in many companies to make way for the capital that needed to be spent on attaining compliance.

"All of those things are nice security projects, but it's hard to see how they get you to Sarbanes-Oxley (SOX) [compliance]," Hession says.

This was first published in March 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: