Organizations know they must comply with relevant regulations simply to continue staying in business. Many IT security teams leverage this and position new security initiatives as a must for compliance. It’s not uncommon to hear a tip like “use compliance to fund your security initiatives” in professional communities or conferences.
In general, it is true that regulations attempt to set minimum guidelines for securing certain types of data or activities. However, no regulation can give you a universal guidebook for securing your specific business against the current threats at a particular moment in time.
Compliance can be an effective way to start an ROI conversation and get attention in a less mature organization where the executive team is less aware of the real risks. However, it is potentially thin ice: You should never give in to a false sense of security based on ticking all the boxes of any compliance checklist.
Another pitfall you want to avoid is creating the perception that IT security team is a “necessary evil” that executives will tolerate and even fund, but would happily get rid of if they could.
I am definitely not arguing you should not bring up compliance in a budgeting conversation. On the contrary, you should be aware of the current and anticipated regulatory requirements for your industry and jurisdiction. However, similar to operational cost reduction, I think it would be a mistake to over-rely on compliance as the primary way to justify a security investment.
More Info: jobs with comptia a+ certification
No comments:
Post a Comment