A strange analogy crossed my mind the other Sunday. The whole IT Compliance vs
Security struggle is a lot like a common struggle in most religion.
A common logic used in religion is to
1) Follow the laws of the religion and
2) Follow the principals of the religion as you understand them.
Following the laws and principals would be doing something “right”, and not following them would be doing something “wrong”.
Laws or Commandments
Compliance regulations are like the “law” or commandments handed down as
non-negotiables in religions. You will or will not do these things. If you break
these rules you will be punished somehow. There is not much grey area when
it comes to following laws and regulations.
However, general IT security is more like the adherence to the principals
behind the teachings of the religion. How diligently or zealously you follow
and take action on the principals of IT security can cause folks to either admire,
despise, or think you are a radical of some sort. Also, the possibility for a “grey area”
delima is much more common when it comes to principals.
So what about when there is no clear-cut answer on if something is following the
principals of security or your religion? This is where you must fall back on
risk based decision making. In most religions, the Risk of someone perceiving you
are doing something wrong is enough to give you guidance on how to act.
Security decisions can often be based on the same risk decision. If your customers or others
could have the perception of you doing something wrong or irresponsible, then your
course of action should be to stay far clear of doing anything to cause that perception.
A Code of Ethics can also help reduce confusion around security decision making. That’s just one reason why professional organizations help provide guidance for security professionals.