Analyst: Focus on securing biz, not compliance

SINGAPORE--Companies should focus foremost on securing their business and not on achieving compliance, an analyst said, noting that "regulations are really bad for security".

Andrew Walls, research director at Gartner, told ZDNet Asia in an interview Friday that compliant organizations can still have poor security posture, while secure organizations will not find it difficult to comply with any regulations.

"Security produces compliance; compliance does not produce security," he said.

Illustrations of this point are not lacking, Walls pointed out. For example, there have been PCI (Payment Card Industry)-certified companies that have suffered high-profile data breaches.

Systems of U.S. payment processor Heartland Payment Systems and retail owner TJX were reportedly hacked three months after they became PCI-compliant, a McAfee executive noted in an interview last year.

Speaking on the sidelines of a security forum organized by local managed security services provider e-Cop, Sacramento, Calif.-based Walls argued that companies should treat regulations "as just another threat to the organization", similar to how they would, for instance, assess the impact of a virus on their networks.

"Just like any other threat or risk, you mitigate it to a level where you're willing to accept the remaining risk," he said, adding that this may require the company to engage third-party security providers, hire and train security talent, and document organizational processes.

"I don't know anyone who complies with [any regulation] 100 percent," added Walls. "The idea that one must be totally compliant doesn't work--not in the real world. You are as compliant as it is feasible to be compliant."

Risk conversations needed
According to Walls, the most important thing for businesses to improve the management of their security risk is to "make the discussion of risk a normal part of every management process".

That typically calls for a shift in mindset because in many cultures--not just in Southeast Asia--managers who identify risks associated with projects are labeled incompetent by their superiors.

"Through that conversation, they will start to get an understanding of how serious their security problems are, what kind of security problems they have and therefore what sort of solutions [and] services…they need to help manage those security risks," he explained. "But until they start having that conversation, it's going to be really hard [to gain that insight]."

On top of that, businesses need to better protect against fraud by monitoring for suspicious transactions and making verifications where necessary, similar to what credit card companies do when they detect abnormal transaction patterns, added Walls.