It should be a simple question, but it isn’t. The primary purpose of compliance is to ensure security, thus either one should ensure the other: that is, if you are secure, you will be compliant, and if you are compliant, you will be secure. Sadly, this isn’t always the case in reality.
“The conventional meaning of compliance”, says Jeff Gould, president at the cloud computing forum SafeGov.org, “is that you comply with a set of rules”. The problem is that those rules do not, and cannot guarantee security, they can only seek security. “Compliance is always chasing, but never quite catching up with security", Gould remarks. In reality, then, compliance and security are two separate things that need to be considered individually.
US vs Europe
It is further complicated by different approaches taken by the compliance regulators on each side of the Atlantic. Europe opts for ‘principle-based’ legislation; the US takes a rule-based approach. The difference can be seen in compliance regulations that are relevant on both sides of the Atlantic: in the principle-based European data protection laws (DPA), and the rule-based Payment Card Industry Data Security Standard (PCI DSS).
There are advantages and disadvantages to both approaches. The European approach, explains Ben Rapp, CEO at IT services firm Managed Networks, “doesn’t tell you what threats you should guard against, it tells you what outcomes you should avoid”. In the case of the European data protection laws, the outcome to be avoided is the loss of personal information – but the European Commission’s data protection directive does not specify how that outcome is to be achieved.
The Americans, however, Rapp continues, “say you must do this, you must not do that – and the ‘this’ and the ‘that’ are quite specific”. As a result, PCI DSS compliance is more easily achieved than DPA compliance. With the first you can take a tick-box approach and “comply with the letter of the law, while not complying with the spirit, and get away with it”. In theory, he adds, “with principle-based regulation, you cannot comply with the letter and not with the spirit, because the regulation is the spirit”.
The result is that you can believe you are compliant with the essence of the European regulations, and only find out that you are not compliant after you have been breached. In contrast, in America you can be breached and still be compliant because you ticked all the prescribed boxes.
IT or Risk Management?
It is little wonder, then, that with such a confused regime to follow, there is a similarly confused route taken within industry. The basic question is whether the security officer should be the same person as the compliance officer – and the general consensus is that it should not.
Historically, operational information security resides within information technology; that is, within the IT department. From the European perspective, however, compliance is largely interpretive; that is, how basic principles should be implemented. This is generally considered to be beyond the scope of IT. Furthermore, financial compliance regulations usually involve more than just the keeping and processing of data.
Compliance consequently rests more easily within overall business risk management than it does within IT.
As Mark Childs, a partner of technology risk management at Kingston Smith Consulting, puts it: “Organizations in heavily regulated industries usually have a separate regulatory compliance function that monitors the external regulatory environment and translates it into corporate policies and guidelines that the business units should follow. They also have a monitoring role within the organization to ensure that policies are being adhered to – however, these compliance functions rarely have any involvement in the information security capacity.”
Compliance and Encryption
Encryption illustrates the problem. The IT manager might suggest cloud storage as an efficient and cost-effective policy. The security manager might then point out that for the data to be secure in the cloud, it will need to be encrypted. It would, however, take a compliance manager to explain that unless the keys are managed carefully, even encrypted data may well be non-compliant in the cloud.
“One of the problems that we’ve created for ourselves”, says Ben Rapp, “is that we’ve set out legal responsibilities that are quite onerous and that people barely understand.” On top of that, he continues, “we’re now recommending use of a technology that people definitely don’t understand to protect data being stored in another technology that they don’t understand, governed by terms and conditions they haven’t read”.
So Who Owns Which?
In reality, of course, only the larger companies will have sufficient manpower and budget to keep security and compliance completely separate. The emerging consensus, however, is that there are three basic levels to security and compliance. At ground level, everybody – every individual member of staff – must ‘own’ both security and compliance. It is everybody’s responsibility to remain secure and maintain compliance.
But, Jeff Gould points out, “most breaches of ostensibly compliant companies come through human error – such as clicking on a spear-phishing link. How can you legislate against human error?”
"In America you can be breached and still be compliant because you ticked all the prescribed boxes" |
At the operational level, the two disciplines are separately maintained by a security officer aligned to the IT department, and a compliance officer aligned to the business risk department. Although operationally distinct, they need to work closely together. “The compliance officer”, Rapp explains, “is effectively a customer of the IT security function, and tends to be the person that the IT function goes to for compliance budget – the compliance function tends to rank higher than the IT security function”.
The top level is the supervisory rather than operational level; and it is here that the two functions fuse. The emerging role is that of chief information security officer (CISO), and his/her responsibility is to combine the two into a business enabler.
“The mature organizations that have realized this”, says Neira Jones, head of payment security at Barclaycard, “have aligned their corporate governance frameworks not only to include business risks but also information risks. This is why the industry is seeing a very definite shift towards risk management – and the new chief information security officer is now being asked to become a business enabler and evangelist rather than a policy producer and technology implementer only.”