The Security Compliance Tweet Chat - What We Learned

July 24, 2018  |  Javvad Malik

In our most recent Tweet Chat, we had Ben Rothke join us as our special guest, and the topic for discussion was compliance.

If there ever was a topic that gets security professionals riled up, I think it would be compliance. There were many questions asked and answered; you can find most of the discussion by searching for the hashtag #AlienChat on Twitter. But for the purposes of this roundup, here are the top things I learned.

The Value of Compliance

What value does compliance bring? While there wasn’t overwhelming enthusiasm in support of the value of compliance, people were also not outrightly dismissive of its value. Instead, we found there to be a healthy level of cynicism amongst security professionals whereby there is recognition that compliance has its place - as long as it’s accompanied by some caveats. 

Or as Adrian Sanabria summed it up:

Stuart Coulson raised a good point about the value that compliance can bring as a result of the business that is won or lost by having the right compliance certifications.

The business angle was one that I particularly liked, because it brought us to the next big point of the discussion.

The Security Poverty Line

The security poverty line is very real for many companies. There is usually not enough staff, or free time, or money available to make security a priority. These are the companies that will do the minimum to become compliant in order to win business. As a result, they are also more likely to be breached, and be heavily fined amounts that would be a struggle for them to pay.

On the other side of the poverty line, a major question is whether fines are an effective motivator to get companies to do the right thing. While they may be effective, I’m not sure they are necessarily the right motivators; after all, fines can be considered to be the F, in FUD.

Personal Accountability

So, if fines are not the best motivator, then what is? Apparently, a level of personal accountability can go far with suggestions made to arrest executives when their actions impact people’s lives.

Corporate brand protection was also brought up:

Cloud Compliance

Is the need for cloud compliance here? Ben seems to think it’s a vital issue that needs addressing, and I’m inclined to agree with him.

In Closing

I think compliance means well and its heart is in the right place. But by itself, it isn’t security - it’s something that can be factored into the overall risk assessment. After all, we’re all about balancing risk.

It’s worth scrolling through some of the discussion threads that cropped up during our Tweet Chat. Stay tuned for upcoming Tweet Chats with our special guests and let us know if you have suggestions for topics to address in a future #AlienChat.

Share this with others

Get price Free trial