The New Oxford American dictionary defines compliance as, “the action or fact of complying or yielding to a set of rule or standards.” Many infosec experts have their own definition of security compliance consisting of a few choice four-letter words.
Like or not, compliance will be here for the foreseeable future. We seem to be caught in a Catch-22; it’s commonly agreed that metrics are critical to ensure the effectiveness of security controls yet businesses often become engulfed in compliance requirements when they attempt to adhere to a baseline that defines acceptable minimum standards defined by frameworks. Some frameworks, like PCI DSS, contain very detailed and rigid requirements that leave little room to interpretation while others like ISO 27001 are more flexible and give the business room to define its own requirements. Many frameworks require or promote an internal or external audit that evaluates the controls in place and, if necessary, establishes corrective actions.
The humorous or disastrous observation on how businesses often address compliance—depending upon your point of view—is that they not only don’t have an idea on how to approach this topic but assume that they’re experts yet refuse to see the error of their ways. I ought to know because I’ve been on the short end of this topic and have lived to tell the tale. My personal career has been, shall we say, interesting when it comes to compliance.
A growing trend is for companies to mix project management and information security when seeking experts to address their compliance requirements. An increasing number of companies are looking to fill compliance roles and believe that information security experts are the right people to hire. More and more compliance openings are seeking experts with CISSP, CISA and other certifications yet these roles only require project managers who may serve as intermediaries between the auditors and the IT teams.
If you’re looking for work and come across an opening for some type of compliance work don’t let the requirements fool you; companies often believe that security qualifications are needed because security is the general requirement for compliance. In reality, security skills are of little importance.
If you are interviewed by a company for a compliance role and would like clarification on the real qualifications needed for the role I would like to offer something that has helped me in my interviews. Ask the interviewer: “If you were only permitted to choose one skill needed for this role would you choose a project manager or an information security expert?” If “project manager” is the reply then it’s a good bet that your security skills will not be needed. This question has often been the key factor for me to turn down roles that I thought would not enable me to grow as a security practitioner. I wish I asked this question years ago.
Another disturbing trend is that companies often mistake common security best practices as though they’re completely separate entities. For example, HIPAA and ISO 27001 require businesses to define operational continuity as needed for the business yet many interviewers consider “HIPAA disaster recovery” and “ISO 27001 disaster recovery” as separate entities. It’s not just a matter of apples and oranges to them it’s apples and algebra. Although businesses of all types use identical databases, servers, data centers, desktops, monitoring, etc. the idea of disaster recovery/business continuity is foreign for an industry that is not similar to theirs.
ISSA Austin will continue its outreach program to local businesses to help businesses make informed decisions on infosec issues. ISSA Austin also offers a mentorship program to its members to help them be effective in job searches, interviews and negotiations. Contact a board member if you are interested in a mentor.
President – ISSA Capitol of Texas chapter