Bridging the Compliance and Security Gaps

Michael Vizard
Slide Show

The True Cost of Compliance

Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.

There's a natural tension between compliance and security that stems from the simple fact that too many IT organizations equate one with the other. But compliance requirements generally provide for a base line of minimal amount of security, so it's still very possible for an organization to be in compliance and still suffer a security breach.

Confusion over this distinction frequently leads to frustration with compliance requirements along with a general sense of security fatigue that can be traced back to all the issues that compliance products generally don't address. The good news is that we're starting to see more convergence between security and compliance products to address this issue.

Case in point is the enhanced file integrity monitoring capability that Tripwire has included in the latest version of the company's VIA platform. Rolled out at the recent RSA Conference 2011 event, the new version of Tripwire's file monitoring software has been optimized around version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) in a way that allows IT organizations to continuously monitor logs and system event information to identify any abnormal updates to files. As unusual file activity is usually the first sign of trouble, Rekha Shenoy, vice president of marketing for Tripwire, says the Tripwire VIA platform not only helps companies stay in compliance, but it also serves as an early warning system for potential security breaches.

Shenoy says it is one thing for a security information and event management (SIEM) product to tell you when your organization is out of compliance, but it's a higher order of value when that SIEM offering can identify when and where files are being accessed without authorization. That capability, she adds, means that money being allocated to compliance is actually serving to enhance security, and like it or not, IT organizations today are rolling acquisitions of security technologies under a compliance budget that is much easier to get approved in today's business climate.

At the end of the day, Shenoy says that every dollar spent on compliance should enhance security and vice versa. The trick is to find products and technologies that make both sides whole, versus simply trying to check off a compliance requirement without any regard to the company's overall security posture.

Add Comment      Leave a comment on this blog post
Feb 28, 2011 5:34 AM Scott Wisniewski Scott Wisniewski  says:

Agreed.  Focusing on business risks will facilitate build out of an internal control framework that can efficiently address business risks as well as externally driven compliance requirements.  Further, setting a good foundation will help meet compliance requirements organizations may not even be aware of, or those that have yet to emerge.  In the not-so-long run, it's better for your business. 

Sep 30, 2011 6:10 AM Octavian Paler Octavian Paler  says:

That's some advanced malware right there, I didn't know there was such a thing as a "copycat kit" for copying off the alerts produced by legitimate antivirus products, very elaborate and tricky, I better warn my mom about this and upgrade her internet security since she browses Facebook a lot so she's a easy victim for malware.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.