Real Compliance Requires Technical Expertise
Network World published an interview with an Ex-Bear Stearns CISO on compliance which raises some pressing questions but I think falls short on the right answer.
Jennifer Bayuk notes that regulators check for compliance by asking security people and security people ask vendors who return with checklists. Due diligence is reduced to something of a herd mentality: we're safe if we do what everyone else does. Bayuk suggests that vendors should provide evidence that they are secure, effectively by-passing corporate security. Where does that evidence come from?
We can't trust the vendors to be objective so we need objective third parties, something like an Underwriters Laboratory for security. Sounds good in theory but unless deploying applications becomes as simple and as standardized as plugging in a toaster, this won't work.
We can't push the compliance question onto outsiders. Companies have different business processes, run apps on different platforms, have different patch levels, etc. etc. There is no way a one size fits all, test it for compliance once and it works for all will ever work.
Bayuk is right that there aren't enough security professionals but substituting some kind of vendor's certificate of compliance for today's checklist is no improvement.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
