Problem
IT organizations spend billions annually on compliance-related projects. That includes hardware, software, external consultants and (sometimes) uncounted internal human resources. The underlying question, though, is whether compliance improves the overall level of controls and security within a company. As said by John Rostern, Jefferson Wells' Eastern Region Practice Leader for Technology Risk Management. "The underlying issue is that compliance with regulatory standards such as PCI DSS and GLBA can lead to a "check the box" approach. In an era of concurrent constraints on budgets and increases in oversight, the temptation to find the quickest and least expensive way to check that box can be compelling. The checkbox approach can also hide the true state of IT controls and security in the organization. Having a report in your hand that "proves" your compliance provides little comfort in the face of an actual data breach or other security incident." These concerns are, in fact, not actually unsubstantiated. Heartland Payment Systems, a leading payment processing company, reported on January 26, 2009 that its systems had been compromised by malware. As the Heartland breach illustrates, you can be PCI compliant and still be breached.
• What are your thoughts on the relationship between regulatory compliance requirements and information security?
• What kind of approach provides the foundation for a strong controls environment, which in turn will help the organization to achieve and maintain compliance?