cancel
Showing results for 
Search instead for 
Did you mean: 

Security vs Compliance - Part One

Product Manager
Product Manager

Today, I want to bring your attention to a great series of webcasts that are available here: Security Kung Fu Webcast Series

I will stress the importance of each one of these over the next few weeks as I review and reflect on what I learned from these webcasts.

That's right. I'm reviewing the webcast as a critic in this series because I deeply believe in security, and I want to make sure you guys are aware of the content provided in each webcast. Please follow me on this security adventure and dive into the importance of the information they covered. Also, I'll be mixing them up, so the reviews won't be presented in order. 

Takeaways

1. There is a difference in being secure versus compliant.

  • I can comply with regulations, but does that cover everything within my infrastructure?
  • I can secure my environment, but does that mean I am meeting my overall compliance needs?

These are questions that I like to ask whenever I'm involved with any security plan. This helps to make sure that my environment is fluid and being assessed by both sides of the argument.

2. Too many rules to follow! I just want to do my job!

  • News flash: Security is a business issue. It's NOT just for IT!
  • This webcast talks about the rules and compliance needs for different types of businesses. However, all levels of users need to focus on security. This means engaging with and training them at every opportunity.

The biggest issue that I see is a lack of a solid security planning that is integral to an organization's overarching business strategy. This webcast offers insight on ways to use tools to help you complete security plans faster and strengthen your proactive and reactive security needs.

Summary

The Security vs Compliance webcast will help guide you toward implementing a solid security plan. I joined this webcast and offered some of my opinions on being secure vs compliant, so please feel free to let me know if you have more to add!

Remember, "Security is a very fluid dance. The music may change, but you have to keep dancing."

If there is something specific you guys want me to bring up, please let me know! I love talking security and how to use what you have to support any security plan. Leave me a security comment and I'll see if I can get this ramped up and answer in a future Geek Speak blog!

18 Comments
MVP
MVP

Nice article

MVP
MVP

Every auditor that I have spoken with uses the phrase "if it's not documented, you are not doing it." That can also summarize compliance but execution is what it takes for security.

Very nice article.

Level 21

Most of you know me as a straight shooter who mixes sarcastic charm with laughter.  If you don't know me, you're missing out

Dez This was literally the first thing I read this morning, it totally made me laugh and I couldn't agree more.  Great way to start my day, thanks for that. 

I am really looking forward to this series as it totally speaks to me being a person that has one foot in InfoSec and another in the operations side of things.  I manage many of our security related tools and am on the team that designs and builds our secure environments.  One thing I have found is that security and compliance while very different are like a muscle, the more you do them the more you get used to doing them and they eventually stop feeling like an inconvenience.

MVP
MVP

While you must document for audit to know you are "doing something", you must log and have the data to back it up...

Yes the dance with being compliant and secure is a tedious one...they are complementary in nature  as what you are doing now to be secure may become a requirement for compliance later on.  Now if a step to be secure is afoul of compliance, you may be able to document the issue and no longer be afoul....maybe.

Level 9

very informative, Thanks

Level 13

Great Article. 

Level 20

After years of dealing with ISSO's and ISSM's I'm pretty used to what Dez is talking about.  In fact I heard Dez talking about security at Phoenix SWUG and I heard her mention ISSO's so she's obviously worked with someone in the DoD before as a customer.  Now with RMF everything is going to be STIG'd which means a LOT more work than our normal years of NISPOM compliance.  The next couple years is going to be busy for everyone in the community as all new Information Systems have to go through the RMF process to get certified.  We'll see how it goes... I got a foot thick set of books from RMF training I took a few weeks ago... the ultimate goal of RMF is continuous monitoring so it fits right in with what we all do with Orion!

Risk Management Framework

Looking forward to it. 

The proof is in the documentation.  Even if someone is consistently following a best practice, if that work isn't documented and required by policy, where's the ability to prove it's being done the right way, every time, by every person.

Nice article!

Level 14

wow did this hit home Dez​ !!! A great article....

Working in a highly regulated environment, it is at times a formidable balancing act, not unlike the old plate on a pole balancing trick, Keep them spinning and you are fine, drop one and you risk the others being smashed to bits.

Level 9

Wow Dez, indeed we have to keep dancing to the security changes. Being complaint is also very important. Standards are to be followed.

Security vs. Compliance is an important lesson for many to learn. One does not automatically offer the other. In fact, they are parallel paths. I work for a cash only, privately held business. We have very little compliance regulations to adhere to. Seasoned IT veterans, especially those that have worked in the compliance-driven space, can appreciate how my situation can be a dangerous place. My leadership sleeps under a false sense of security that we are okay. But the reality is that we are vulnerable and just because compliance isn't required security definitely is.

MVP
MVP

In a previous life I sold automatic gates so many of my customers were pretty well off.

One of my customers got caught by that security piece. He kept sending his "staff" out on Jet Skis in the wee hours of the night/morning to pick up "supplies" from boats arriving a few miles off the coast. So he had to completely overhaul his security model after the Feds picked up his "staff."

Level 14

wow... great story!!!

Level 20

Geesh that sounds pretty shady Richard!  I guess you're probably glad you're out of that business now maybe?

MVP
MVP

Our business was actually very legitimate - it's just that when you get to people with that money you run into those that made it by being good business people, those that inherited it and then those on the other side of the law. Fortunately we seldom had any negatives that came out of our interactions. It was a very interesting business as I got to actually design some very interesting ornamental gates and meet some really interesting people.

Level 20

It does sound interesting... I live in North Scottsdale Arizona now and there are some VERY wealthy people here of all kinds so I know what you mean... There's everything from old money to mob families I think.  The one cool thing is I see LOTS of really really nice cars here which I love!

Level 14

The Security and Compliance Tango.  Be fluid, but stay sharp.  Security requirements tend to change much more quickly than compliance requirements.  Oddly enough, I actually had this argument with an IA manager I once worked for.  He insisted that if we were compliant, we were secure.  He isn't in security anymore.

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!