Published: 28 Jul 2005
If you're like many security managers, you spend the bulk of your time peeing on the fire nearest your boot. Sorry to be so crass, but it's true: Security pros are legendary for fighting fires rather than looking for better ways to prevent them.
Yes, getting strategic is tough. Rare is the opportunity to sit at the table where big picture business and IT decisions are made. Security was and is an afterthought at most organizations, and changing that dynamic ain't easy.
The new regulatory environment can change all that. We're now entering "version 2.0" of compliance management, and security has a golden opportunity to gain a seat at the table. But it's up to you to make it happen.
There are lots of new features in Compliance 2.0. Audits will be tougher. There will be less flexibility and patience with lack of progress or results. Real monetary penalties will be levied against real companies--maybe yours.
Internally, Compliance 2.0 is all about continuous process improvement. Now that you have better insight into what the regs specify, you'll need to standardize how to implement them in an ever-changing IT environment. Now that you have exposure into how much it costs to bring the organization into compliance, you'll need clarity on the cost to keep it there. And above all, you'll have to sort out vexing governance issues--who's responsible for what.
For security, all of this amounts to both an opportunity and a risk. The opportunity is to seize the moment and be the champion; the risk is sitting back and "letting change happen" to you.
The reason security is in a prime spot to contribute here is because all the stuff you've been doing for years is directly applicable to the demands of Compliance 2.0. Security has always been about keeping the bad guys out, letting the good guys in and identifying anomalous traffic or system activity. All of this maps to the need to demonstrate control over the "lifespan" of protected information (financial records, personal identification information, health records, etc.).
Ah, yes, the devil's in the details. For instance, as everyone knows, SOX implies that IT controls are critical to overall internal controls, but it doesn't specifically address the issue of IT controls. That's left up to still-evolving frameworks like PCAOB's Audit Standard #2, COSO, COBIT and SAS 94. Your job as a security manager is three-fold: Understand these frameworks and their strengths and weaknesses in your environment; help your organization codify which combination of internal and external guides you will use; and unify this process with that of your external auditors.
There's lots of good, vendor-neutral information out there on how security can contribute to this effort. Two examples: The CyberSecurity Industry Alliance's guide to "Implementation of IT and Security Objectives" for SOX is a great overview of the status of the PCAOB and COSO guidelines (www.csialliance.org). And the Institute of Internal Auditors guide to Information Technology Controls details everything from analyzing risk to monitoring to IT control metrics. It also contains a lengthy list of compliance-related reference material on security governance, management and auditing (www.theiia.org/index.cfm?doc_id=5166).
The bottom line is this: Compliance 2.0 is a steep hill, but it needn't feel like you're pushing the cart alone. Getting to the top of the hill is certainly worth the push, for there lies a new, more strategic, more valued role for information security.