Thinking About Compliance in September

Posted on by Fahmida Y. Rashid

Compliance is one of those never-ending things. If the organization is not in the middle of an audit, then it is either reviewing its results or preparing for an upcoming one.

That isn’t a bad thing, since the point is to be always compliant, not just sometimes. Unfortunately, compliance has a bad reputation because those regulatory activities can be so time-consuming. It may be frustrating to feel that the time spent on those activities could be better spent on other projects that meet specific security objectives.

Does being compliance really make organizations more secure? Perhaps. A Ponemon Institute survey found that PCI-DSS compliant organizations tended to be more secure than non-compliant organizations. But on the other hand, we’ve seen that even PCI compliant organizations can suffer devastating data breaches.

It’s easy to deride compliance efforts as being “not real security,” but the fact is, compliance is mandatory for many organizations. The better question may be to ask how to bridge the gap between security and compliance so that focusing on the former takes care of the latter. Surely that isn’t an impossible dream.

How can we be compliant and secure? Wouldn’t it be a big relief if by implementing a security program, the team discovered that when it was time for an audit, all the preparatory tasks have already been documented and taken care of? That is a worthy goal and one worth exploring this month.

There are many questions to consider, and we will touch on a few of them. How can the team map security best practices to compliance requirements? What gets frequently overlooked during an audit? What specific regulations do organizations typically need clarification on? What are some strategies for preparing for an audit? How can we make compliance more than just a checkbox exercise?

Let’s discuss how to work effectively with auditors and internal compliance teams. The actual steps may be different, but security and compliance professionals share similar goals: to minimize risk and support the business. Let’s talk about working together as partners and not as adversaries

Never fear, this month won’t be all about compliance. We will share strategies from security pros like you about ways to secure networks and data. We will ask experts for their insights on major news events.

As always, we welcome your ideas. If there is something you would like to hear more about, or a topic you would like explored, let us know. Post on Twitter to @RSAConference, reach out to us via social media, or just comment below.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

risk management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community