Security Versus Compliance

Sunday, December 05, 2010

Alexander Rothacker


Article by Richard Tsai  

The title to this post suggests that security and compliance are opposite concepts, but we all know they are not. 

In fact, we know that the two to be intricately intertwined.  Security for databases still requires more awareness, but the problem should no longer be an unknown. 

I recently re-read an article published in InformationWeek titled “Epic Fail” by Greg Shipley, and he skillfully points out,

“… with databases a top target and related security spending being relatively minimal, it’s no wonder that in 2009, 92% of the record losses looked at by Verizon were related to them.  We’d say database security auditing tools and database activity monitoring systems might be worth a bigger percentage of the budget, or at least an evaluation.”

I have been witnessing an overall maturation in Information Security and Information Assurance teams as they develop greater skill sets in the database security arena where traditionally, their skill sets have leaned more to perimeter and network security. 

However, projects that lead to better protection of databases do not start organically within the security organization; instead, they are fostered by compliance initiatives.  This is where security and compliance are sometimes opposing.

The goal of security and compliance are the same.  They both attempt to prevent theft and fraud.  However, the methodologies to achieve this differ between a security-centric vs. compliance-centric approach.

 And with compliance-centric approaches providing the currency, we will achieve limited security improvements.  We need more information security super heroes.

By definition, Information Security teams need to fully identify the vulnerabilities and threats that exist in the IT infrastructure, advise its business leaders, and protect it.  Security teams should be brutally honest and expose the true technical risks. 

This will allow business leaders to make informed decisions—should they fight the risk, or should they willingly accept that the risks exist and fight it another day. 

Security teams ideally cannot be handcuffed to the sidelines and not stay on the cutting edge of technology, while their opponents, the bad guys, are employing new technologies and techniques every day.  Good security teams need to have the ability to play the “leap frog” game.

The goal for a Compliance team is to ensure that the business complies with a set of regulations (which includes a security subtext).  Whether the regulations are government imposed or industry imposed, the reason they exist is to make certain that a minimum security baseline is met. 

This is certainly a good thing.  However, if a corporation’s security culture primarily focuses on just being compliant, then it will leave itself exposed. I’m sure you’ve heard of Albert Gonzalez and the companies that he and his associates victimized?  Some of those organizations were PCI-compliant, weren’t they?

A security culture that relies on just complying with regulations will always lag behind the threats.  Waiting to make changes based on independent security audits is not the formula for good data protection. 

Changes to the PCI Data Security Standard occur every 2 years.  Please don’t misunderstand my stance on compliance.  Compliance is important.  It forces industries to build a security foundation, but it must be partnered with strong culture of security advocacy to be truly effective.

A recent research paper by Unisphere Research, “Data in the Dark: Organizational Disconnect Hampers Information Security,” (PDF) reveals that database security projects are largely delayed due to budget constraints and a lack of understanding of database threats.  This is not surprising. 

Most corporations do not have strong security cultures.  Who with a budget is going to understand the anatomy of a database attack?  Security advancements at many corporations are uphill battles that are largely enabled by compliance projects.

The gold is in the database.  Security practitioners need to step up and fight the right battle and make database security a priority in compliance projects.

Remember, good security = compliance, but compliance ≠ good security.

Cross Posted from

Possibly Related Articles:
Compliance Databases Methodologies Security Assurance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked