SAN FRANCISCO -- Balancing compliance and operational security demands is one of the hardest tasks enterprises must overcome. But the odds of success can be improved both by solidifying leadership cooperation and by drawing security measures from compliance frameworks and standards.
In a session last week at RSA Conference 2015, Steven Winterfeld, the information security officer for a bank supporting a fortune 300 company, discussed the importance of integrating IT security and compliance.
"A lot of people like to bash compliance," Winterfeld said, "But I like to use this analogy." On the left-hand side of the screen was a fire marshal inspecting pipes; on the right-hand side a firefighter in front of flames.
The person fighting fires was more exciting, Winterfeld said, but "the fire marshal, the compliance, is a key component of prevention. We need to look at that appropriately."
However, you can't only have compliance, either.
"I'm not going to live in a town without a fire department," Winterfeld added. "When the building catches on fire and the sprinkler system starts, I still want the fire department coming."
Getting leadership on board
"Your job is to make sure leadership understands the risks and is equipped to make a decision on where to accept it," Winterfeld said. "Build consensus on criteria, definition, impact ranking and visualization of risk."
Using the proper metrics is also vital. Winterfeld added, "If it doesn't give your leadership situational awareness to make a decision, then it is a very poor metric."
The leadership team should also be able to articulate the security plan. "Ask the leaders of your company what the cyberissue is," Winterfeld said. "If they can't tell you what your operational- or compliance-driven program is, then you've missed the boat."
Part of this, Winterfeld added, is knowing how to speak to members. For example, a security manager who overloads top executives with a stream of technical jargon will likely find those executives tuning him out. Speak in a language they understand, Winterfeld said, talk business to a CIO, not tech; it will get your much further.
Also, Winterfeld said, implement a plan based on "return on impact" -- not return on investment.
Getting security out of compliance
There are a number of compliance frameworks and guidelines, Winterfeld said, that can help enterprises achieve IT security and compliance. However, not all of them necessarily have security that will jump out at you; rather, there is security baked in that must be extracted and used.
Winterfeld listed a number of compliance frameworks and standards -- including ISO, NIST, COBIT, OCTAVE, ITIL and Six Sigma -- enterprises should consider using depending on their particular situation.
Talk to the rest of the organization, Winterfeld said. If these frameworks, guidelines and standards are being used elsewhere, see what can be gained from them security-wise.
Incorporate security processes into other parts of the company, Winterfeld said, including the supply chain, social media, business continuity and disaster recovery planning, and software development.
"If all the security is inside the security department," Winterfeld added, "you're fighting an uphill battle. People should be using security tools and processes outside of your department."