Report Card: Incite #4 - Stay out of Jail

In the last Report Card for today, let's look at what happened in the wild and wooly world of compliance.

Incite #4 - Stay out of Jail

Compliance continues to generate tremendous hype, but largely remains a red herring throughout 2006. Smart users will use the compliance word to get funding for critical imperatives (perimeter redesign, identity management) and sufficiently document their processes to keep regulators happy. Those not so smart users figure encryption is a panacea and buy some; ultimately realizing making encryption work on a large-scale basis hasn’t gotten any easier.

Grade: A

Original Days of Incite post: here
Incite Redux post: here

Finally, a decent Incite that actually turned out to be right on. Clearly the wind is out of the sails of “compliance” as a term, and if anything CEOs and CFOs are now asking the tough questions about what all this compliance stuff they’ve bought does.

So we will look back at 2004-2006 as the halcyon days for compliance. Now it is truly an operational aspect of every security program. Those that don’t ask about the compliance impact of any new infrastructure or applications are clearly asking for trouble. And don’t expect to get more funding or resources to do “compliance.”

As security professionals, everything we do should generate an artifact (report, graph, other document) and that artifact can be used to substantiate the controls in use by the security program. It's the presence of those controls and the comfort that issues will be remediated fast and completely is what the auditors are most interested in.

What we didn’t see as much of was widespread adoption of encryption. Instead we saw pockets of strength and great strength at that. The number of lost/stolen laptops and the associated PR and notification fiascoes made it very clear that mobile devices need to use encryption to protect the private and sensitive data on those devices.

The good news is that whole disk or desktop oriented encryption is quite leverageable and not just from a compliance standpoint, so this is one of those technologies that are bought to solve a compliance problem, but end up being pretty strategic over time.

How does it become strategic? Basically as part of a broader data security environment that controls and protects data at its fundamental element. We are still a ways away from even having technology to do that, but having that data on the mobile devices protected is a start.

It’s not clear yet that “compliance” will get another Incite in 2007 since it is rapidly being subsumed into all security operational activities, but don’t be lulled into complacency. There are compliance considerations in everything that you do as a security professional.