Do or Don’t Do, Complain is Not an Option
7 February 2018 | 10:22 am
Recently I wrote an article about why compliance is good and how it can drive security. After I wrote it I saw a conversation on LinkedIn where security professionals talking a lot of crap about compliance and I thought, “ was I wrong?” That was a fleeting thought and I knew I wasn’t wrong in what I had written, but I also knew that we can’t keep complaining about the situation, talk shit, or roll our eyes; we actually have to do something that will impact change or we are just part of the problem.
So what can we do about making a change so that compliance has a positive impact on security?
Let’s start with the reason compliance gets such a bad wrap. Security professionals don’t see compliance help improve the security posture of an organization and organizational leaders see it as a cost for something they don’t understand.
It looks something like this: 1) the organizational leaders have a bad attitude about it, thinking “it won’t happen to me” and do the bare minimum for compliance in order to stay in business and avoid fines, 2) businesses are run by business people and they may not truly understand there is a difference between compliance and security, and/or 3) due to the attitude or lack of understanding they don’t provide the resources needed (people, budget, time).
For the leaders, let’s be real anything that can happen to the other guy can happen to you too. If Target, Sony, Whole Foods, Equifax, and so many more it would take an entire article to list them all (you’ve read the headlines) can be hacked, so can you.
For the security and compliance professionals, if executives don’t understand the difference between compliance and security are we really doing our job? Are making their lives easier or harder? Are we just selling them something and leaving or are we really advising and consulting?
No one this world is immune to bad things happening, but these two groups together can do something to improve the odds.
When these two groups come closer together in understanding, conversation, collaboration, and implementation we will actually start to move the needle.
The point of this short article is not a big how to list or more checkboxes. It is an awareness piece. If you are reading this as an executive you have a responsibility to learn more about how compliance and security are implemented in your organization. You must provide the necessary resources.
If you are a security or compliance professional how can you help your clients navigate this so that it isn’t so hard, so expensive, and so daunting? What can you do to help them operationalize security and compliance and make it part of doing business?
I don’t have all the answers, no one does, but we have to start talking about it. We have to stop complaining and start acting. We don’t have to know how we just have to know it’s possible and that is’t important, but we have start having different conversations. What problem are we really trying to solve and who wants to take real responsibility for solving it?
If you want to further this discussion I welcome a conversation, I want to help come up with the answers that I don’t have. I can’t do it alone because there are much smarter people than me out there. But until enough of us come together to solve the problem and for that matter identify what the problem really is, not much is going to change.
Email firstname.lastname@example.org so we can talk in more detail.