Should IT leaders incorporate the language of compliance frameworks into their security posture?

1.4k views1 Upvote2 Comments

Sort by:

VP, Chief Security & Compliance Officer in Software4 years ago

When are we as leaders in the industry going to rise up and have some control over these framework organizations so that they will start recognizing the evidence that I collect and not needle me to death? The evidence has the same intent of the law versus the letter of the law. I've got the evidence there, I just have a different term. For example, instead of my “objective,” it's my “goals.” But it's still there.

Executive Coach / Global Chief Information Officer & CISO in Education4 years ago

Unless there is a massive invasion by aliens to come in and eradicate every lawyer on the planet, you're going to have to close one eye and determine whether or not the language fits and interpretation versus letter of the law. Unless we're mandated by a higher being that says, “Follow this law. This is what this means and there are no deviations,” then we just have to do our best. I've gone through too many others, like HIPAA, HITRUST, PCI, and everything else; I'm going to do my best and the rest has to come after that.

When you're talking about security, it all has to be highly customized and subjective; you cannot have one framework that is perfect for everyone. There are concessions there because you have different requirements, different needs, etc., and we don't have an endless amount of money to spend.

Content you might like

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

We are in a world obsessed with the latest technologies, where it seems everything even working should be updated or upgraded to avoid the "imposed" in my opinion "digital obsolescence myth". How inclined are you towards innovation and change when the existing systems are certainly working effectively?

Very inclined: I believe in constantly pushing for innovation and improvement, even if the current systems are effective46%

Moderately inclined: I'm open to innovation and change, but only if it clearly enhances or adds value to the existing systems48%

Not inclined: If the current systems are working effectively, I prefer to maintain stability and avoid unnecessary changes5%

View Results

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

What would be the strategy to raise awareness among small businesses about investing in Cybersecurity?

Ethics and Ethical principles are challenging in the Artificial Intelligence field and most generally speaking look at a disruptive innovation where moral and human rights seem a step back than industry and market needs.

What do you think about?

I believe Ethics and Ethical Principles as well as a Resposible approach is mandatory, I can wait the adoption for them.21%

I believe the Responsible and Ethical adoption of the technology is important but business is business... 44%

I have no opinion about22%

I don't think they should stop the progress36%

I don't think at all they should be part of the equation1%