Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Oct 13, 2010

Should Compliance be part of Information Security?

The first recommendation in Verizon's latest report on PCI compliance reads:
Don’t drive a wedge between compliance and security.  Whatever your stance on the “compliance vs. security” debate, hopefully we can all agree that intentionally keeping them apart doesn’t make sense from either a compliance or a security perspective.  Why force a false dichotomy between two concepts that should, in theory, be in alignment?  After all, they both have the goal of protecting data.  Sure, maybe you’ll need to do some things for compliance that you wouldn’t do for security (based on risk assessment or tolerance) or vice versa, but it’s hardly an either-or situation across the board.  The overall direction of managing compliance should be in line with the security strategy.  Is your compliance management team the same as your security management team?  If not, is there a concerted effort to collaborate when and where possible or do both sides govern their own private islands with no trade routes between them?  If the latter situation is truer of your organization, perhaps you should ask why and whether it’s best for it to remain that way.
I guess one reason why an organization might want to keep [security] compliance and [information] security totally separate is essentially the same argument that separates Audit from the operational business: independence helps the function see things for what they truly are.  In this structure, the compliance function is therefore operating like audit, assessing compliance and, presumably, persuading information security, IT or other functions to do whatever needs to be done to achieve compliance, rather than doing those things itself.  It's not much of a stretch, then, to make this kind of compliance function a part of audit.

Another legitimate reason for separating the two is that compliance issues are far broader in scope than merely [information] security.  Organizations are for instance obliged to comply with health and safety, tax and human resources legislation, plus all manner of commercial/contractual obligations and industry regulations that fall well outside the sphere of information security, as well as those that span the boundary or fall entirely within it.

Anyway, that said, I agree with the thrust of Verizon's recommendation that close collaboration between compliance and security functions, if not full integration, is important.  I would add that close collaboration is equally important with numerous other functions, such as IT, physical/site security, risk management, HR and in fact "the business", meaning the organization's profit centers.  It's hard to imagine how they could work productively otherwise.  In fact, this whole issue might be merely a blinkered view of the formal stovepiped organization chart, whereas in reality the informal network of colleagues, peers, influencers and decision makers implies working relationships between a wide variety of people having some level of professional interest in information security, and myriad other things.  Contrary to the org chart's satic, flat appearance, organizations are in reality fluid, multidimensional systems. 

Regards, Gary

PS  Being picky, I might challenge Verizon's assertion that protecting data is a goal of compliance.  It seems to me that compliance aims to ensure that the organization fulfills its obligations, which is essentially a matter of risk management (do the projected benefits of compliance outweigh the projected costs of noncompliance?).  To what extent that includes data protection depends on the obligations, not on the compliance function's mission statement.