This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
Few would dispute that regulatory mandates have forever changed the role of IT security. The risk of financial sanctions, public embarrassment and potential jail time for executives has raised security awareness from the back office to the board room.
"Roll the clock back a few years and look at the challenges security professionals had then," says Eric Litt, chief information security officer at General Motors. "They were trapped in the middle layer of management. They certainly didn't have the support or understanding of upper management. And if they were trying to make the right IT security moves, they were pushing snowballs uphill."
But it's debatable whether this increased attention toward regulatory compliance has had its desired impact and actually improved the overall IT security of regulated organizations. Many security managers, in fact, argue that compliance has to varying degrees weakened their priority--that the target sights have shifted from reaching a state of overall security to attaining adequate levels of compliance, and satisfying auditors' checklists.
"A lot of security initiatives in many companies got shelved. Everyone has a limited budget, so some security projects got pushed lower on the agenda," says Lloyd Hession, chief security officer at New York-based financial network services provider BT Radianz. He contends that technologies such as intrusion-prevention initiatives, enterprise digital rights management, and even network
"All of those things are nice security projects, but it's hard to see how they get you to Sarbanes-Oxley (SOX) [compliance]," Hession says.
This was first published in March 2007