The dawn of the age of IT compliance has had any number of consequences for IT staffs in general, and security teams specifically. Now, instead of simply worrying about whether the network is running properly and the good guys can get in and the bad guys can’t, security specialists have to consider how every modification, deployment and installation they make might affect the company’s compliance with PCI DSS, Sarbanes-Oxley or HIPAA. Not only that, in many organizations, the security team is explicitly responsible for the overall compliance effort itself, on top of its regular duties.
At a seminar on compliance that SearchSecurity.com put on this week, I asked for a show of hands among the attendees on who was a trained security professional and who was more of a compliance and policy specialist. Somewhere north of 90% of the people identified themselves as security pros. And yet, here they were at a seminar on compliance, learning the ins and outs of every regulation under the sun and how to stay on the auditor’s good side. Many of these same people said that their companies also had a separate compliance group, but the security teams still shouldered a lot of the day-to-day compliance burdens. And these were professionals from some of the larger financial services, health care and retail companies in the world.
What this tells me, and what the attendees said themselves, is that even the biggest, most highly regulated companies still don’t have this compliance thing licked. A lot of the talk I hear at conferences and trade shows is about how to become compliant with one product, or framework or set of policies. Those things are certainly vital components of a compliance program, but the ugly truth is that regulations and networks change and shift constantly, and even if you passed an audit this morning with flying colors, you were probably out of compliance by the time you got back from lunch.
I would wager that the number of security professionals who got into the industry hoping to work their way into a compliance role approaches zero. But, virtually every expert I talk to about this tells me that there is more regulation coming in the near future and that things are going to continue getting more and more complex. This means more time poring over arcane legislation and industry requirements and less time solving interesting security problems. At that same seminar, I asked our two speakers whether they thought compliance should be the job of the security staff, and the they both said no, compliance demands its own dedicated staff and the security people are too busy. Ah, well. It’s certainly not pretty, but there it is.