Security is built on compliance

Security is built on compliance


Data breaches are not the only things on CISOs' minds

The headlines in IT security over the past few months have all been centred on the importance of securing corporate data assets. But is the view from the ground any different from the one so often perceived by those outside of the IT industry? The presumption has often been that with the advent of perimeterless networks, and the sharing and storage of data by third parties, IT managers need to prioritise implementing identity and access management systems, and protecting the data itself.

So the recent assertion from IT security chiefs at certain high-profile UK organisations that their primary concern was actually ensuring compliance with regulations such as the Sarbanes-Oxley Act and Payment Card Industry (PCI) standards may come as a surprise.

This emphasis on regulations and legislation does not diminish the importance of data security,­ after all, PCI was created to ensure the secure processing and storage of credit card data. But despite the dramatic warnings spun out by data loss prevention and encryption vendors, the less attention-grabbing activities associated with compliance still dominate the budgets and to-do lists of IT security chiefs.

Given the importance of such activities, it may not be long before more UK organisations establish the role of chief compliance or risk officer to ensure this area has a dedicated owner outside of the IT department.