Compliance isn’t always a four-letter word
I’m in Australia this week speaking with a number of companies about what they’re doing and why, with regard to security and compliance. I’ve found that the attitude towards compliance is generally very healthy, and seen as adding value. This is different from the typical reaction I get in the US where many organizations see compliance as a “tax” and try to get away with doing the bare minimum.
Some of this difference is likely cyclical – things like PCI are still on the upswing in Australia, whilst it’s mostly implemented in the US. But, even in the Australian companies that are compelled to comply with PCI and other regs, the attitude toward compliance seems different…somehow healthier (or, at least, more optimistic).
Compliance is not the destination
Most of the Australian organizations I’ve spoken with see compliance as useful and adding value. I’ve asked a number of questions to try to figure out the difference, and I think a lot of it stems in the perception that compliance is a step, not the destination. For example, one of the CISO’s I spoke with said, “I have the need to be compliant, but the want to be secure, so we’re going to use PCI as our basis and build on it to improve our security.
Another Security Director commented that “All security has an element of compliance with something - it just doesn’t always have some agency on your back to fine you if you don’t manage your compliance well.” Maybe that’s the difference – the companies in the US don’t like being told what to do?
These conversations reminded me of some of the data from the recent study on “The State of Risk-Based Security Management (RBSM),” in which we saw a big difference between the US+UK perceptions of the benefits of risk-based security management, when compared to the perceptions of respondents in The Netherlands+Germany:
As you can see, compliance was the primary benefit perceived by respondents in The Netherlands+Germany. The study didn’t include Australian responses this go-round but, based on my observations from this week, I suspect they would mirror those of The Netherlands and Germany, rather than those of the US and the UK. It will be interesting to see what happens in the future when Australian companies are surveyed for the RBSM study.
Compliance can help set priorities
One example of “value-added” compliance that came up quite a bit this week was based on guidance from the Australian Dept. of Defense in their document, “Top 35 Strategies to Mitigate Targeted Cyber Intrusions.” This document contains a prioritized / ranked list of controls, countermeasures, and strategies to help organizations improve their security against common intrusions. You may argue a bit about the exact order, you may want to add an item or two, etc. – for example, I’d add a specific item around hardening your systems – but the list is pretty solid.
They Australia Department of Defense also did a good job of “marketing” the value of following these guidelines, such as this claim: “…the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.” No wonder people aren’t complaining about complying with this one.
One of the folks I spoke with said that he values compliance as a way to “set priorities, in the midst of an overwhelming number of potentially useful options.” It’s hard to argue with that.
What do you think?
How do you and your organizations view compliance? Do you see it as a four-letter word, a nuisance, or as a step along the path to more effective security? If you chime in on this one, be sure and let me know where you are doing business.