Compliance, Security and Religion

A strange analogy crossed my mind the other Sunday. The whole IT Compliance vs
struggle is a lot like a common struggle in most religion.

A common logic used in religion is to

1) Follow the laws of the religion and

2) Follow the principals of the religion as you understand them.

Following the laws and principals would be doing something “right”, and not following them would be doing something “wrong”.

Laws or Commandments

Compliance regulations are like the “law” or commandments handed down as
non-negotiables in religions. You will or will not do these things. If you break
these rules you will be punished somehow. There is not much grey area when
it comes to following laws and regulations.


However, general IT security is more like the adherence to the principals
behind the teachings of the religion. How diligently or zealously you follow
and take action on the principals of IT security can cause folks to either admire,
despise, or think you are a radical of some sort. Also, the possibility for a “grey area”
delima is much more common when it comes to principals.

The Dilemma
So what about when there is no clear-cut answer on if something is following the
principals of security or your religion? This is where you must fall back on
risk based decision making. In most religions, the Risk of someone perceiving you
are doing something wrong is enough to give you guidance on how to act.

Security decisions can often be based on the same risk decision. If your customers or others
could have the perception of you doing something wrong or irresponsible, then your
course of action should be to stay far clear of doing anything to cause that perception.

A Code of Ethics can also help reduce confusion around security decision making. That’s just one reason why professional organizations help provide guidance for security professionals.

Need CPE’s to maintain your Cert? Volunteer!


Attention CISSP’s — ISC2 allows you to volunteer doing computer security work for a charitable, Government or public organization and count those hours towards your CPE’s. ( Disclaimer, I am a CISSP, but I am not employed by ISC2)

Most certifications require that you maintain some type of continuing education so that your knowledge does not become stale in the area of your certification. These are typically called CPE’s. (Continuing Professional Education (CPE) credits)

Reading publications is great, and the importance of research and understanding new trends and technology should not be downplayed.  However,  knowledge without application and plans without execution are worth very little. This is why I recommend that you get out there and use your knowledge to make the world a better place.  VOLUNTEER!

Some Volunteering Ideas. For more ideas vist this Charity Navigator Site.

  • -Local Police or Fire Dept.
  • -Local Schools
  • CASA

Update: Oh yeah, thanks to @martiniblue for pointing out to make sure to document your CPE’s. I happened to get an audit request for my CPE’s yesterday. Just part of the process!