SC Congress Chicago: Build a program that supports compliance

Share this article:

Experts at SC Congress Chicago on Thursday were set to share advice for following industry guidelines without getting buried in the details of compliance tasks.

Rick Doten, CISO at technology solutions firm Digital Management (DMI), told before the event that the first priority for organizations should be understanding their risk profile.

That involves deciphering what company data and systems are of value, where it is located and how long it is valuable, Doten said. About 70 percent of DMI's business comes from the Department of Defense (DoD) or intelligence agencies, as the firm is primarily a federal contractor.

Doten said that one misstep often taken by public sector organizations is seeing regulations as an end-means to security checks and balances.

“Unfortunately, in the federal government, particularly in the civil agencies, security is viewed as a compliance factor only,” Doten said. “They use that as their ceiling.”

While agencies, like DoD, have higher requirements for managing security processes than other public sector organizations, all too often there is still a “check box security” mentality, according to Doten.

“They focus on [threats] that are ubiquitous, rather than testing things in different environments,” he said.

Doten added that assessment of organizational risks, and determining IT infrastructure that will address those needs, sets the stage for a strong security program.

Professionals from various industries aimed to simplify strategies for tackling security guidelines and regulations.
“I'm not chasing regulations, I'm protecting the assets of my business,” he said. “Focus on protecting your business and regulation becomes a reporting exercise.”

Ken Rowe, director of enterprise systems assurance at the University of Illinois in Champaign, told that his school deals with a plethora of security guidelines, from Payment Card Industry (PCI) standards to the Family Educational Rights and Privacy Act (FERPA), federal requirements addressing student privacy and state privacy laws on protecting data.

The enterprise services team at the university supports more than 100,000 online users, including student and staff. According to Rowe, a good place to begin when vetting security standards is with user access controls, which "revolve around provisioning of user access – or who you give computer system access to,” he said.

John Johnson, global security program manager for John Deere, told that industries with fewer security regulations, like manufacturing, don't necessarily need more federal- or state-level oversight to protect their businesses or clients.

“Being compliant is a good thing, but mindlessly being compliant isn't adding any value,” Johnson said. “I certainly wouldn't suggest that we need more regulations in our industry. Spending more time checking off boxes isn't that valuable.”

Instead, organizations should determine what a mature security program looks like for them, and how it can be most efficiently implemented.

“Until you have a culture of security at your company, it will be a slow [process] to implement good security measures and have support from your management,” Johnson said.

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.