The way he sees it, compliance fines pale in comparison to the cost of an actual security incident that can occur when proper precautions are not put into place. If an otherwise compliant organization misses a certain piece of the security puzzle, not included in “XYZ” regulations, and suffers a “denial of service” attack, then it stands to lose a lot more in lost revenue than if it had been secure but non-compliant.
Executives need to oversee a security program that meshes the security needs of their specific organization with the demands of regulators to prove security. They need to recognize that the organization has an ultimate responsibility to secure its data and that of its customers.
CEOs really need to eliminate the mentality that being compliant with regulations means their organizations are secure. Compliance is a measurement against regulatory standards, not necessarily a measurement of overall security. Look at the recent breach at New England’s Hannaford Brothers grocers. In that case, the company claimed that it was PCI compliant when the incident occurred. Even if this claim was true, compliance didn’t shield Hannaford in the court of public opinion— and it won’t shield your organization if something similar happens to you.
Executives need to oversee a security program that meshes the security needs of their specific organization with the demands of regulators to prove security.
GuIdANCE fOr bOArdS Of dIrECTOrS
“To achieve effectiveness and sustainability in today’s complex, interconnected world, security over information assets must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.
Implementing effective security governance and defining the strategic security objectives of an organization are complex, arduous tasks. They require leadership and ongoing support from executive management to succeed. Developing an effective information security strategy requires integration with and co-operation of business unit managers and process owners.
A successful outcome is the alignment of information security activities in support of organizational objectives. The extent to which this is achieved will determine the effectiveness of the information security program in meeting the desired objective of providing a predictable, defined level of management assurance for business processes and an acceptable level of impact from adverse events.”
Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006
This is not only a safer and saner way of doing things, it is usually cheaper to boot.
In my opinion, there is definitely a wide-scale wake-up call that still needs to happen at the executive level in regards to this security compliance misconception.
“What I tell CEOs is make sure your security program is protecting your customers and protecting your business. Then give the auditors what they need for you to demonstrate compliance,” Pescatore says. “decide what controls are needed to protect the business and customer data and then add some additional reporting functions that demonstrate compliance for all of them.”