To say that information security and compliance professionals are sometimes at odds with each other is a bit of an understatement. Despite IT industry guidance about the value of network security and compliance teams working together, quite a bit of friction can occur. The root cause of this most often has to do with the fundamental disconnect between how the two disciplines prioritize specific efforts, including individual technology controls.
Understanding why this friction crops up isn't difficult. Info security professionals focus on risk management (i.e., keeping technology-related risk within acceptable parameters), so they concentrate on deploying controls with the potential to significantly lower overall technological risk. Compliance professionals, by contrast, need to ensure that technology controls fully address regulatory compliance requirements.
From the compliance professional's point of view, failing to implement a required control is a risk in and of itself. Disagreement between the info security and compliance camps comes when there is disparity between how a given control fulfills one function but not the other. For example, a control required by regulatory mandates sometimes provides little in the way of overall technological risk reduction, and a control with practical risk reduction doesn't always meet a regulatory objective.
This prioritization gap has been difficult to rectify. Organizations sometimes try to align the information security and compliance functions via governance, risk and compliance unification efforts that seek to bring the functions together under one umbrella. Very often, however, these integrated functions tend to drift back toward a more independent dichotomy.
IT security personnel need to draw on compliance team members' skill sets to understand the risk dynamics of a vendor-hosted environment.
Recent changes in the way organizations purchase IT services -- specifically, the adoption of provider-supplied services through cloud technologies -- help redefine the relationship between info security and compliance teams. This can harmonize the working relationship between each department's resources through necessity. By the same token, when that necessity is ignored and contentious relationships persist, it can become a recipe for security and compliance concern.
The use of cloud -- especially multitenant, provider-supplied technology services -- requires high-level coordination between compliance and technical security teams. Why? A significant percentage of cloud security controls in this context are provider-supplied resources. As a result, these controls require input from both disciplines to be managed and evaluated effectively.
Creating the info security and compliance alliance
A primary goal of compliance professionals is to validate vendor-implemented controls and deem them sufficient to meet regulatory mandates. To do so, they almost certainly need to draw upon technical insights from information security stakeholders. Not only are info security teams (usually) more technically focused than their compliance counterparts, but they are also intimately familiar with the organization's internal technical security controls.
This means that the information security department is best equipped to understand the technical challenges when operating those controls post-deployment. Info security professionals are also more likely to understand the potential integration issues (including possible gaps in control coverage) that can occur when internal processes, applications and systems start to directly interact with vendor-managed ones.
Correspondingly, IT security personnel need to draw on compliance team members' skill sets to understand the risk dynamics of a vendor-hosted environment. It is the compliance team that has the processes, methodologies and subject matter expertise to properly audit sufficiency, scope and coverage. Because compliance team members have this audit and data collection expertise, they are (or at least have the capability to be) the eyes and ears of risk management relative to the vendor-managed services and controls.
It's important for organizations to recognize that both teams have a role to play in evaluating cloud deployment from a security and compliance standpoint. The same is true for monitoring activities post-deployment. In situations where the info security and compliance teams are already working well together on a consistent basis, a tighter working relationship will happen naturally. But in situations where they are either completely independent or where they don't see eye to eye, it's imperative that a closer-knit relationship be formed. If the two teams don't communicate or otherwise work together, both technical risk and compliance risk come into play.
More on info security and compliance
Information governance strategy tips for compliance professionals
The harsh truths behind information security and compliance
In those situations where there isn't an already-established close working relationship between security and compliance, a few productive measures can go a long way toward starting one. One approach is the designation of a cloud "tiger team" -- a multidisciplinary team that incorporates stakeholders from across the organization (including security and compliance) when considering and implementing cloud deployment. As team members work closely together, they solidify relationships that tend to carry over into other business processes.
A modified version of the team approach that incorporates direct partnership between info security and compliance (without the rest of the multidisciplinary team) can work, but requires an internal champion in one or both of the disciplines. Alternatively, standardization and toolset sharing for tracking vendor compliance can also be helpful, assuming you can get to consensus on what the tool should be and how it will be used.
When all else fails, a "top-down" approach or, put simply, a directive from senior management outlining joint ownership of tasks, is better than nothing. But because this approach doesn't start demonstrating the value of this cooperation, it can be more brittle than relationships that evolve themselves.
Whichever route organizations take to remove the information security and compliance disconnect, it is vital to the success of any cloud deployment, as well as many other organizational functions. If the two functions don't work together when it comes to cloud deployment, risk and compliance concerns will abound.
About the author
Ed Moyle is a founding partner at New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with Computer Task Group Inc.'s global security practice and, prior to that, served as a vice president and information security officer at Merrill Lynch Investment Managers.
This was first published in December 2012