Problem solve Get help with specific problems with your technologies, process and projects.

Information security program development: Security vs. compliance

Some enterprises can be compliant for their audits, but let security slip the rest of the time. In this expert response, Ernie Hayden explains how to get your enterprise to focus on security rather than just compliance.

I've recently become a security manager at a company that has a history of being "compliant for the audit," meaning, before an audit there's a big push to make sure everything's up to snuff, and the company passes; afterwards, security becomes lax once again. What would you say are best practices for creating a security culture where information security is the goal rather than audit compliance?

First of all, congratulations on becoming a security manager! Well done! It can be a terrific, challenging job, though sometimes filled with frustration and moments when you wonder if you can ever be successful. However, I do compliment you for at least being aware of the culture you are working in; hopefully, it is an exaggeration and not the truth.

So, your challenge is not only to do your job as the security manager, but also to commence information security program development and foster a culture of security. Here are some thoughts on how you might want to proceed:

  1. Meet with the CIO, internal audit manager, CFO and even the CEO to better understand their concerns and interests in the area of compliance and audits. Try to ascertain if they are truly only focused on passing during the audit or if there are other barriers or reasons behind this perception. Perhaps they may see the compliance work as being too expensive. Therefore, you may be able to make a case for being continuously compliant to keep costs level and perhaps even lower, especially if fines are involved.

  2. Establish a schedule of internal audits. Work with the internal audit department and select particular areas of compliance on which to perform monthly reviews. For example, if the company must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), then you can take one area a month (i.e., one month per each of the twelve sections of PCI DSS) and perform a spot check or informal audit. Then, with the findings determined, work with the responsible department to help them make calm, focused corrections to their program and processes that have long-term impact rather than being a "pre-audit spike."

  3. Pay attention to your competition and other organizations in your industry. Observe the compliance problems they have and use what they've learned to help your company be prepared and compliant. Also, be sure to pass along the lessons you learn from these other companies to your executive management, so they can begin to better appreciate a security philosophy that can keep your company from becoming an object lesson.

Again, my congrats to you on this new opportunity, and remember to focus on your main job, which is protecting the data, and then on doing your best to keep compliance at the forefront.

This was last published in March 2010

Dig Deeper on Security Awareness Training and Internal Threats-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.