Thursday, December 16, 2010

Compliance or Information Security

Some in the information security field argue that compliance requirements like PCI and SOX are ultimately harmful to true information security, since it places so much of the focus on just meeting the requirements, rather than on really being secure.

While this may be true for a limited number of organizations, I am convinced that that most companies that only take a "checkoff" approach to these regulations would not have strong overall information security efforts even if the compliance requirements did not exist. In fact, I suspect that many of them would be doing much less in the area of information security.

I did have someone state that PCI worked against true security at one point, though I can't remember the precise argument now. I wasn't convinced then nor am I now. Some of the specific requirements may be squirrely, but the overall direction is great.

I do believe an organization with a strong information security practice would not have problems meeting related regulations. They may have to do a few more things, but strong information security will already be dealing with the related concerns.

I am not sure such an organization exists though, so this may just be a pipe dream!