On a quiet, rainy Sunday I would like to talk about NIST 800-12, “An Introduction to Computer Security”.  I am sharing this to help raise awareness, as much for our regular supporters, but also for those around us who may not fully grok the whole of a computer security program.  Specifically today, I am speaking to the role of auditors and compliance in a security program.

I recently had the opportunity to explore the job market due to a lack of funding at my previous engagement (an expression that is often heard in security, as security personnel are most often viewed as overhead).  During this time, I had the opportunity to interview with a growing company, a startup that apparently was well funded, based on their recent expansion and growth.  The interview took an hour, but was actually over 15 minutes into the interview when one executive  asked the perilous question:

“Which is more important, compliance or security?”

Given the context in which the question was asked, it sent chills that, mentally, sent me running.  It was very apparent in the question that the individual saw these as two distinct efforts, completely unrelated in their application.  Compliance, and any infosec audit function, should exist to aid the overall security effort, not hinder or lead.  When Compliance becomes the lead or priority, then it is not so good.  Metrics over actual Security is bad.  Very bad.  And that’s the feeling I had there.

OTOH, when organizations truly understand the roles and responsibilities required for an effective security program, good things happen.  When you have a scenario where security and compliance do work closely together, great things can be accomplished.  Often times it is a matter of working with the auditor so they understand your challenges, and they can often raise those to levels that need to hear actual risk and vulnerabilities.  NIST 800-12 talks about the security program, as a whole, and the components that are often required to actually implement a continuous improvement environment.  I am not advocating sharing it all with everybody, but rather understand what is there in order to share the relevant parts with our peers and colleagues.   I believe we all agree that knowledge is power, and that Security and all its complexities are often misunderstood throughout the enterprise.

Let’s change that.

tony d0t carothers --gmail