is increasingly driven by overlapping laws/regulations that are progressively more ambiguous in definition, deployment and application.
Trenton, NJ (Vocus) March 4, 2010
John Verry, Principal Security Consultant at Pivot Point Security (Hamilton, NJ) recently spoke to a group of CISOs (Chief Information Security Officers) across a variety of industries at recent CSO Breakfast Club events. Held at Eckert Seamans in Philadelphia and Reed Smith in New York City, the Legal Updates discussion focused on security compliance requirements faced by information security professionals.
"Information security,” says Verry, “is increasingly driven by overlapping laws/regulations that are progressively more ambiguous in definition, deployment and application.” Is this bad news for information security professionals? On the contrary, Verry believes in the "ambiguity paradox": the tipping point where greater ambiguity actually leads to greater clarity.
This point is reached once an organization becomes encumbered by a half-dozen or more overlapping and inter-related “regulations”; Personally Identifiable Information Laws (now 47 of them), PCI-DSS, HIPAA, Sarbanes Oxley, NERC, and/or business associate contracts. At the tipping point “ … inputs no longer matter … because at their core every one of those standards details a group of common controls ... which eventually overlap to encompass the entire possible universe of controls.
At that point the focus shifts to “outputs” , most notably the ability to map each “universe control” back to the original regulations so that you can easily demonstrate compliance. Verry argues, that the ambiguity paradox will drive IT-GRC (IT governance, risk management and compliance) and SIEM (Security Information and Event Management) further into the mainstream over the next few years.
There are a myriad of benefits to defining your own universe. Most notably, when the playing field is known it’s easier to leverage existing standards to simplify security and compliance. While Verry emphasizes ISO 27001/27002, he also allows that, depending on one’s field, a different 27001 variant like HiTrust (Health) or Shared Assessments (Financial) may be worth considering.
Vendor Risk management is another arena where the ambiguity paradox plays out. In clearly defined client examples, Verry demonstrates the value to a risk-centric (as opposed to controls centric) approach. See the presentation for the astonishing results!
About Pivot Point Security:
We are a boutique information assurance firm architected to provide maximum levels of independent and objective information security expertise to our varied client base. Our policy of not selling product and our absolute focus on four core practice areas; Security Assessments, Ethical Hacking, Compliance Assessments, and Security Information Event Management (SIEM) ensures that we have the highest possible levels of competence and independence. Coupling this with our "mutual benefit" centric approach has allowed us to earn the trust of our clients, many of whom we have enjoyed working with since our founding. We count amongst our satisfied client base, small family run organizations and some of the world's largest multi-nationals. Our clients span a diverse cross-section of market sectors including: Non Profits, Pharmaceuticals, Financials, Telecommunications, and Government.