Phishing has become one of the biggest concerns industry verticals, along with protecting data in cloud environments and on mobile devices in the infrastructure.
Compliance does not equate to security. The gap between the two is still very large. Many boards don’t seem to understand the difference between the two. As security leaders, one of the biggest challenges comes in the form of trying to describe to other management in the organization that there is a difference. Ideally, there should not be, but it’s the reality we currently face.
To start with, security professionals need to understand the compliance landscape. These means knowing risks and being able to map them to compliance requirements. This allows security leaders to go back their management and show them that not only do they need to do certain things for compliance purposes, but also how these actions also reduce overall risk. This is important to closing the gap.
Another topic of discussion was “how well do security leaders know and understand their compliance landscape?” Is it more objective or subjective? Traditional training programs for compliance practices aren’t cutting it. Some of the speakers discussed potential ways to improve these programs. One method involved taking a group of different people within the organization including a marketing assistant, data research analyst and a receptionist, and having them attempt to hack an account at a password hacking station that had been set up. This used credentials that met all of the basic requirements like use of special characters, password length, etc. What they found was that out of the 200 people that attempted to hack the password at the stations, only the aforementioned 3 were successful.
The discussion then turned to what are the responsibilities of security professionals to lobby for laws and regulations that make sense. Some felt that current standards weren’t viable because of the way they were written and the disconnect between policymakers and security professional in terms of knowing what is a viable requirement and what isn’t. Security leaders should start to attend more meetings regarding this kind of legislature and talk to people in a way to change it that so that it is business friendly, but still able to meet reasonable security needs and compliance standards.
The group was also particularly interested in a program shared by one of the participants regarding enterprise risk management and security. More information can be found here: http://ow.ly/RjBha