Compliance is a Dirty Word

Been thinking about Compliance vs. Security lately. Working for Financial Services sure has its perks, but one of the negatives is managing the myriad of regulatory pressures from across the globe. It seems financial firms are content with responding to this with bureaucratic programs which include risk assessments, GRC tools, reporting, metrics, RCSAs and some more reporting. But are they more secure after all the budget and resources are spent? I believe the answer is no.

Firms do not seem to care though. They have the resources so they throw money and people at the problem with the hope something sticks. This is bad for the information security industry since it creates a false sense of what it means to be “secure” or a “security professional.” People begin to believe they have what it takes to secure infrastructure, applications and develop an overall security program. But they really don’t, they simply reuse the same old “compliance” related practices they learned in previous roles without really moving the security industry forward.

When I look to smaller firms and startups they tend to hire CISOs or Heads of IT Security with backgrounds in engineering, programming, architecture and other “meaty” disciplines that make up the security profession. These disciplines and skill sets are needed to build a mature and robust security program. You may argue, these firms have limited to no regulatory pressure so they can make that choice and bring in the talent that makes sense for their organization. Financial firms on the other hand have to be compliant so we need these regulatory focused programs, metrics, reporting etc.

My response:

  • Be security focused first and foremost.
  • Cut down on the bureaucratic, bloated assessment programs that are usually developed by the Big4 consultancies. These programs are overly complex, do little to change the firm and ultimately only benefit the consulting firms.
  • Do what is right for the firm. Build new or change existing programs that actually secure your firm’s data and infrastructure. If developed right and you have good communication skills, you should be able to demonstrate how these programs *also* respond to and are in compliance with the myriad of regulations facing your firm.

Safe computing,


israelIsrael Brisky is a Cyber Security Professional at Nomura. Connect with him on LinkedIn.