Security From Scratch: Using Compliance For Good

by Dennis Kuntz

“This isn’t just a legal compliance issue for us. We consider the privacy issue to be an opportunity to reinforce our brand image.” – Tom Warga, SVP and General Auditor, New York Life Insurance Co.

Early in my career I accepted a job rich with challenges and opportunities. It was for a bank that was not yet Y2K compliant (and yes, this was pre-2000), was under a cease-and-desist order from the Office of Thrift Supervision (OTS) and had a very inefficient system that needed to be rewritten from scratch – from the front end all the way to the back.

They wanted the system completed in technologies with which I was cursorily familiar (though I at least had industry experience). In addition to rewriting the system, I was also starting it months after the OTS had wanted new “financial systems” to be completed (which did not enhance their patience in dealing with us).

On my first meeting with the auditor for the OTS to lay out my plan, I thought I’d break the ice by cracking a joke. I told him, “It’s not Y2K that worries me. It’s Y10K – those 5 digit years are going to be a bear.”

My attempt at humor was met with a blank stare, an uncomfortable silence, and then a humorless statement about the requirements we needed to fulfill.

This set the stage for my first real introduction to compliance – putting it in place, those that enforce it, and those holding you responsible for the first two items.

Putting Compliance In Its Place

Focusing only on compliance almost by definition limits its usefulness.

Many compliance standards change in order to encompass tactics that have already been tried. Bruce Schneier has covered this concept within the context of terrorism and explains how ineffective it is.

However, most compliance standards also have a “spirit” (or intent) in addition to the “letter of the law”. For example, HIPAA aims to protect “individually identifiable health information”; PCI aims to protect cardholder data, etc. By focusing efforts on embracing the spirit of the compliance standard, the end result is “compliance” and a vastly superior job at actually protecting information.

Answering for Your Efforts

Having to “answer for your compliance efforts” doesn’t always mean an audit.

Sometimes there is an internal role that oversees compliance efforts for the whole company. In my opinion, the best way to deal with anyone whose job it is to judge your efforts is to be honest (of course), but in a way that first seeks to  understand their role.

When dealing with an auditor, try to understand what it is they are looking for (fellow contributor Jim McFee does a great job of explaining this perspective).

Often, auditors are looking for proof the “letter of the law”  was followed, or otherwise properly addressed. By understanding the auditing procedures and general expectations regarding the compliance standard it is possible to position actions in a way that make sense, demonstrate compliance and reduce friction.

The advantage (albeit sometimes hidden) when working with an internal colleague is the simple fact that everyone shares the same corporate goal: achieve compliance and protect company information. Working toward a common goal makes a difference (along with a deep breath and sometimes a squeeze ball).

Using Compliance for the Greater Good

Information security compliance standards almost always received the attention of those who may not normally be focused on information security risks: legal, management, etc. This is primarily because of the legal and financial implications of not obtaining or maintaining compliance.

This can be an advantage to manage the company’s risk.

Not only may decision makers be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts.

Ultimately our job is to protect company assets and help to manage risk.

While on the surface compliance can simply be a necessary evil, when looked at with some creativity, most compliance efforts present opportunities to improve the security posture of your company beyond the requirements themselves.