Security executives have to be constant evangelists when it comes to preserving operational effectiveness. As most C-suite executives think in traditional budgetary mindsets, it’s hard to demonstrate the effectiveness of security when investments result in nothing happening. In the meantime, most executives think in terms of reacting to regulatory, legal or operational requirements, which is why increased staffing and budgets are being devoted to compliance, cyber and HR-related compliance, which may possibly be taken from security operating funds.
In examining this issue, look at the financial sector. The passage of the Sarbanes Oxley Act (SOX) in 2002 was a reaction to the sweeping Enron corporate fraud scandal, a law that prompted massive corporate compliance investments that spurred an IT investment that many viewed as a natural progression to the immense upgrades to cybersecurity in today’s CIO budgets. Major corporate investments in reaction to “scary” new regulation can be seen in the healthcare sector with policies like health information privacy (HIPAA) and ACA (Obamacare), education with education records privacy (FERPA), student disability (IDEA), Title IX and standardized testing (RTT), and with other policies relating to privacy laws, payment info (PCI), fair consumer practices (CFPB), stock trading regulations (SEC), bank secrecy (BSA), money-laundering (AML), and even ever-changing HR & accessibility (ADA) policies.
Every year, corporations visit policies and budgets out of fear of noncompliance. Ironically, security directors are almost never included in the discussion, often firewalled from compliance officers if they are even lucky enough to be part of the organization at all. This leads me to wonder if, in it’s purest state, security is a form of compliance. Those of us who became security professionals after a career in law enforcement understand that, after all, a peace officer enforces compliance with the laws of the land. Using that logic, don’t security professionals assure compliance with corporate policy to protect life and property?
With the increased focus on cybersecurity threats, compliance and security are becoming more intertwined as the changing face of the cyber threat demonstrates that even the best SOX compliance program wont completely protect an organization alone. The same goes with increased human resource and educational policies, the ability to fairly investigate and enforce violations comes into question. Therefore, it is clear that compliance and security overlap, but cannot replace each other without appropriate staffing and/or cross-training. While some CIOs state that they’d rather be compliant than secure, that is clearly stated from the position of someone working in cyberspace, where passing an annual audit measures success. However, a true Chief Security Officer and/or Chief Compliance Officer have life safety or operational threats (i.e. active shooter, theft, damage to reputation) to consider, which adds necessary perspective to the equation.
Therefore, it is essential for security and compliance professionals to work together. Some corporations have Chief Compliance Officers with no security director. Some have security professionals but no compliance officer. In this case, it’s important for the security director to act as the compliance officer and vice versa. This way, there is someone communicating corporate risk and vulnerabilities to executive leadership so that budget priorities don’t end up kicking the security can down the road to react to perceived compliance demands. While many in corporate finance see continuous security improvements as a budgetary bottomless pit, the cost of inaction could be considerably more. As there is no certifiable end state for cybersecurity, and most feel that physical threats and violence attacks irrationally “won't happen here”, CFOs are always tempted to concentrate their limited resources on compliance while keeping security efforts to a reasonable “best practices” minimum.
This is why CSOs or Chief Compliance Officers need to team up and have the intestinal fortitude to educate executive management on the potential threats to their organizations.