Security and Compliance - Strange Bedfellows Indeed

Rafal Los — Thu, 01 May 2008 14:24:00 GMT

It's a classic problem of which came first... the chicken or the egg? politics or corruption? security or compliance? While I admit, it's not such a strange thing to see the two groups working together these days... I would like to point of some of the issues that I've come across between these two very important groups in today's enterprises.

The issue of compliance is much like the issue of legal counsel. All large enterprises, and even most small business have someone that's responsible for compliance - occasionally you'll see an entire department dedicated to the daunting task of keeping up with regulations, compliance policies, and the ever-changing landscape of procedural accountability. Oddly enough, there is not a one-to-one relationship between the compliance department and a security department. I've spent a large portion of my IT career in situations just like this and I would like to share some of my understanding with you.

Compliance, while not always a necessity in private businesses, is almost always present in larger, pubilc enterprises. The compliance department is responsible for making sure the business is in-line with self-imposed corporate regulations and policies, industry-consortium regulatory guidance, government oversight and policy even international laws too! It's amazing these groups can even keep this stuff straight, right? What's equally amazing is how often compliance relies on IT Security for guidance and implementation of compliance components. This of course begs the question - would IT Security exist in some organizations if there was no compliance stipulation for such groups? On the flipside of that... in a perfectly secure world where no one is ever malicious - what would be the need for the compliance group? So while it may be a stretch to say that one group cannot function properly without the other (I will concede that they can, albeit poorly) each is heavily dependant on the other for its very existence within a business. This is where I find some strange... interactions.

As I've stated, the security team often carries out part of compliance policy or regulations; or performs audits to ensure that the same regulations are being followed - but I feel like even in these cases the synergies between these groups are under-utilized. I can't count the number of times I've been turned down for an IT Security initiative (which made perfect business sense, by the way - but was simply under-funded) only to push that same initiative through under the guise of a compliance regulation - through the compliance team. In return... the compliance teams I've had the pleasure to work with have repeatedly called upon my security resources to be the "muscle" behind their policies.

As I travel and talk to different groups about Application Security, I am agaff at the number of times that I get an entirely blank stare when I try to explain how leveraging compliance is a sure-fire way to get security initiatives done. Here's my reasoning... see if you disagree...

Compliance is a "necessary evil" which exists to keep the business in good legal and regulatory standing
IT Security exists to keep the balance of risk/reward within the business IT as balanced as possible
IT Security should be looking to enact initiatives which work to support the business

If you take all 3 points above as truth (and I firmly believe they are) then it's a logical next-step to say that IT Security initiatives and Compliance initiatives will greatly overlap. An overlap within two very necessary units of the enterprise will always, without fail, lend more credibility to their efforts and causes. If both the security and compliance teams are pushing the same agenda, it becomes very difficult for a business owner to simply dismiss that agenda as unnecessary or frivolous.

So a lesson-learned here - if you're not already doing this... here are some very simple yet extremely effective (based on personal experience and first-hand accounts) techniques for getting things "done".

Open a regular dialogue with your complaince team. Meet once a quarter, once a month, or once a week as permissable to discuss what you're independently working on
Find overlaps in your goals from a non-technical perspective
Create a joint strategy for compliance and technical implementation of initiatives previously agreed upon
Review business requirements jointly - ensure that both groups understand each other's point-of-view

Given these very simple, and probably obvious, steps - I can virtually guarantee a more successful IT Security goal achievement. You'll work less uphill, you'll "win" more often, and you'll do a much better job not only understanding but supporting your business - that makes everyone happy.

The Politics of Getting Hacked

Rafal Los — Sun, 06 Apr 2008 03:07:00 GMT

It's the words that keep IT Security Managers up at night - "We have a problem, I think we've been hacked". Of course, there are few possible responses...

Acknowledge Responsibly - You can acknowledge what has happened, open an investigation, and communicate with the public and your customers. While this may be initially bad PR, in the end it shows responsibility and maturity of process and management
Acknowledge Irresponsibly - You can acknowledge the issue but attempt a campaign of mis-direction and cover-up. Redirect blame to partners, vendors and even former employees, release mis-leading information about the magnitude of the issue and do not publicly investigate the breach.
Bury It - Re-direct blame, issue no statements or official information

The problem is this - you know which you want to do, but which option will your lawyers allow you to take? There are many IT Security departments which are run more by the company legal counsel than the IT Security manager or CISO. Why is this you may ask? Lack of planning and initiative. If a CISO has no strategic, pre-planned response plan for that dark day - the lawyers will more often than not take over and try and guide the company out of trouble (and in the process create a bigger problem). Responsible breach disclosure isn't easy to plan for, and if executed poorly will potentially cause a catastrophic end. This game isn't for the faint of heart.

The purpose here isn't to poke at the legal counsels, in fact, they're entirely necessary and should be your allies. They should not; however, run your crisis management process. Crisis management should be left up to those who are trained for it, and not to the CEOs, the lawyers, or the PR department. Litigation should be a component of your crisis-management process but if you lose control of the situation as the "security" function - you're in for a rough ride.

As the title of this entry suggests, there is a political component to every "incident" that must be carefully navigated. Leave room in your response strategy (crisis management process) for all those previously mentioned folks to do their part - but make sure you understand that you have to control the situation. You're only going to accomplish any semblance of control by planning in advance, working your plan through the ranks, and making sure you have buy-in long before the call comes. This is really a case of failing to plan means planning to fail.

Politics is a dirty business, but unfortunately you cannot escape it, even in IT Security management. Remember, make allies, plan ahead, and get buy in and you'll weather the storm. Otherwise... I need to tell you a story about 3 envelopes...

Following the White Rabbit Blog : politics

Security and Compliance - Strange Bedfellows Indeed

The Politics of Getting Hacked