Gartner Blog Network

Security And/Or/Vs/Not Compliance?

by Anton Chuvakin  |  April 28, 2014  |  3 Comments

When I got this Gartner blog, I made a promise to myself to avoid rants, as a matter of personal policy. I’ve done my share of rants on my previous blog (examples), and while they are fun to write sometimes, they don’t help people do stuff better or faster. They also make me part of the dreaded echo-chamber of the security community, densely populated with plenty of rant-spewing characters. Sure, I’ve broken this promise a few times, deceptively masquerading the rants using the tag philosophy.

This is one more rant! Sorry, but I just have to do it- otherwise I will “asplode.”

So, security and compliance is again the topic. Sure, plenty of people have stated that “security is not equal to compliance” with various meanings loaded into the line. Plenty of presentations (example) and conference panels have touched on the subject of the interrelationship of security and compliance. Why another post – and a rant at that?

In the past, I’ve tried to promote a healthy relationship between security and compliance, such as:

  • Compliance (such as PCI DSS) is a healthy motivator for improving security, sledgehammer as it may be.
  • Compliance can also be used as a budget driver to buy security tools (with an obvious assumption that they would be actually used for security)
  • Compliance defines minimum-security; that proverbial low bar, a subset of what is needed based on the organizational view of risk
  • Compliance may also be seen as an example of documented and auditor-proof security (“secured and knows it”)

In essence, my interpretation of “security is not equal to compliance” is rather literal – they are not one and the same, but they certainly should be in a happy, mutually enriching relationship. After all, compliance opened plenty of purse strings to fund meaningful security improvements at many organizations, improvements that many of those organizations would not have accomplished.

Well, some recent experiences have led me to believe that quite a few organizations have built a deep chasm between security and compliance. Under these circumstances, their problem is not that “security is not compliance”, but that nothing they do for compliance helps security. So, while I was aware of some abuses (example), I was not aware of many environments where compliance is in complete and utter disconnection from security.

This was meant in jest: “Don’t you dare trying to use that #SIEM to detect an intruder, we bought it for compliance and by god it will stay that way!!”

but guess what – there are environments where this thinking is exactly what happens. Similarly, a notable security vendor recently came up with a novel idea – that their security tool can actually be used by security professionals to help security by detecting compromised systems. Upon seeing this, I experienced a bit of a brain freeze: WTF? It is a security tool – it has been used successfully by security professionals to detect incidents way before compliance became fashionable (which is roughly, 2004-2006). Why is this thinking novel? Buying and using a security tool for security – how new is that, really? 🙂

However, upon pondering this for some time, I realized that they are right: many environments buy security tools for compliance and then not use them at all [not even for compliance], or only use them to the extent needed to satisfy the most creatively minimalistic interpretation of a particular mandate or regulation.

People, has compliance burned your brains?!!! We are NOT doing it to impress an auditor; we are doing it to stop an attacker!

Posts that may be considered rants by some:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: compliance  philosophy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Security And/Or/Vs/Not Compliance?

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.