In my previous blog "Something Rotten in my Kingdom" I asked the question: Can we envisage a way to improve security through compliance?
Angela Carlisle, Technology Compliance Manager for Regions Financial Corporation highlighted in our recent chat that the major impediments to compliance and security are resources: having enough people, enough money, enough time, the right skill sets to help you address the issues. It’s a variety of resource challenges. People want to do the right things, everyone wants to help but there is this lack of resources: not enough people, not enough time and no funding to pay for additional people or items.
The funding is the source of this problem and guess who holds the key to the moneybox? Mmm? Well, the decision-makers.
So probably the more challenging mission of compliance, risk and security managers is to convince the decision-makers to make a positive decision. That leads me to conclude that the key to the above problem is "decision".
Nothing could be properly done if it has not been decided first. The same goes for security-related matters. We can't protect our data if there is no official decision to do so. Once something is decided, nothing could divert us from our trajectory. Decisions lead to action. But what leads to proper decisions and more specifically, what leads to better security decisions?
Proper decisions require information. Information about the problem, the situation or context, the potentials alternatives associated with their pros and cons, as well as an understanding of the potential losses and gains.
Proper decisions also require an understanding of the motives of the parties involved in the thinking process and the biases that could influence the outcome.
Targeting compliance is a decision in itself that could positively or negatively impact the security of the company depending on the motivations. But compliance programs are also a valuable source of recommendations and guidances that could lead to better security decision making.
So I would suggest tackling this problem by looking through it from the perspective of security decision-taking. Our approach would then be to discuss best practices and guidances from these compliance programs and present them through the lens of decision process.
What do you think?
What are the factors that one should take into account in making security-related decisions?