Getting Over Our "Security ≠ Compliance" Obsession

Links and images for this episode can be found on CISO Series (https://cisoseries.com/getting-over-our-security-%e2%89%a0-compliance-obsession/) We repeat "Security ≠ Compliance" so often it's become our mantra. Does anyone pay attention to it anymore? We're unpacking our compulsion to keep saying it on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Chris Hymes (@secwrks), head of information security, enterprise IT, and data protection officer, Riot Games, makers of League of Legends. Thanks to this week's podcast sponsor Expel Expel is flipping today's managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode Why is everyone talking about this now? On LinkedIn, Omar Khawaja, CISO, Highmark Health, argued that every time a security person repeats the "Security does not equal compliance" trope, it translates to a belief that compliance is useless. This caused a flurry of discussion. Is compliance useless? If not, Omar asks what should "Security does not equal compliance" be replaced with? Essentially, how should compliance be viewed in an overall security program? Ask a CISO Scott Holt, sales engineer, cmd, asked our CISOs how they're balancing keeping their information and infrastructure private while at the same time working with vendors to fill security needs? "What's Worse?!" We've got a question based on the build vs. buy debate. Hey, You're a CISO, what's your take on this? Paul Makowski, Polyswarm, asks a question that's very relevant to their business. He said, "Enterprises often subscribe to multiple feeds [of threat intelligence]. They learn their strengths and weaknesses and develop weighting algorithms to divine highest quality intelligence in the context of what's being analyzed. How can the industry close the feedback loop with threat intelligence providers, providing them with an opportunity to improve coverage and efficacy (false positive / false negative rates)?" The Shared Responsibility Model for cloud is, as Amazon and others describe it, the difference between the "security OF the cloud" and "security IN the cloud," with cloud service providers taking care of the OF, and clients taking care of the IN. "In the cloud" means the data, the access – especially guest access, and the usage. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Close your eyes. Breathe in. It's time for a little security philosophy. Steven Trippier, Group CISO, Anglian Water Services, asked, "What are the right metrics to use to illustrate the success / performance of the security team?" We've asked this question before and one of the most popular answers was "mean time to identify and remediate." But here's the philosophical question that Steven asks, "How does this change in an environment where breaches/malware outbreaks are uncommon and stats such as mean time to identify and mean time to contain are not relevant?"