Which is more Important – Compliance, Security or Operability?

By InfosecurityAdvisor

The task of managing risk within a given organisation has changed dramatically.

There was a time when compliance was unheard of (so to speak), security meant switching off modems, and ensuring systems remained operable involved via a big lorry in the car park for a week to verify backups worked.

This tranquil world has now been shattered, whereby projects and budgets are dictated by a need to comply, operability of systems demand a 24 hour uptime for fear of loss of significant revenue, and the number of risks affecting an organisation change on a daily basis.

Equally confusing is how compliance, security and operability are so inter-linked that a potential change in one, can dramatically affect another.

If we take for example the PCI Standards for companies processing credit cards.

Complying with such standards should result in a given organisation being more secure.

However such standards do not necessarily mean that an organisation cannot be more secure without compliance, but why is compliance introduced?

Largely because companies or individuals fail to do the “right thing”, which often results in regulations or new laws being passed to mandate them conducting themselves in the “right way”.

What remains constant however is that operability, without an available system then surely the business will grind to halt?

However as we are all aware, there is nothing cut and dry about making business decisions and what has prevailed is the need to balance between security and operability.

With the added introduction of more compliance requirements, some of the guesswork has been taken out of defining this line.

However what is for sure is that this line is not fixed, and will vary, not only from industry to industry, or between companies, or even between departments, but such a change may even be dependent on what phase a particular project may be in.

This blurry line can even change due to personal circumstances, ask a security professional and they may well state security is the number one priority for any given organisation.

However ask them when they are a patient at a hospital and need to ensure the systems assisting their rehabilitation are available, then their perception of the risks will change and they will answer Operability.

Equally if you were to ask the executives in charge of Societe General shortly after they lost £3.7bn when one of their traders managed to circumvent their internal controls then perhaps they would answer security (more of).

However ask them just before its time for the city bonuses then its likely they would want operability.

The future for business is likely to change further, the compliance requirements will change, and with the potential threat of custodial sentences for non-compliance, this area will take on more importance.

Likewise, with the increasing reliance on the Internet to provide revenue then operability will remain high on the agenda.

The demand for security will therefore increase to such an extent that the demand for good security professionals will far outstrip supply.

But as for answering which is more important, sadly the answer to such an interesting and challenging question is the rather mundane answer of; It depends!

Raj Samani, Vice President for Communications, ISSA UK is a blogger on www.infosecurityadviser.com