While on the face of it, this may seemingly be a purely intellectual pursuit, it does have practical implications for today’s organizations. First, let’s tackle the intellectual aspect of this question.
Intellectually speaking, the answer is yes, an organization can be compliant without being secure and can also be secure without being compliant. How is this possible you ask? It all has to do with time perspective. You see, compliance is about looking back. Organizations always have a pending audit date. It might be next month, next quarter or next year. Regardless, the IT staff is constantly collecting data, reformatting it and then presenting it to the auditors in hopes of receiving a positive audit report.
Security, conversely, is about real time analysis. It’s about looking at data that’s available TODAY and seeing if you are experiencing a compromised administrative credential, if a user is attempting to log in from an unusual location (like North Korea, for example) or you’re experiencing a denial of service attach. When this occurs, the security team had better be prepared to take immediate action to stave off a devastating or even catastrophic hack.
So, again, intellectually, you can see how an organization can look at data retrospectively for compliance sake, but not review it real time only to find out that the organization has consistently been hacked for three months. And an organization can look at data in real time for security sake, but if they are not collecting this data in preparation for an audit, they will fail said audit.
Ok, so that’s the intellectual argument. The practical argument is that smart organizations recognize that the overlapping component to being both compliant and secure is the audit data. Having an infrastructure that can collect audit data for long-term reporting and review that same audit data in real time for security breaches is an economical and practical way for an organization to be both compliant and secure with virtually the same security investment.
If you’d like to learn more about to be both compliant and secure as it relates to your privileged accounts, please check out this on-demand web seminar from noted IT security expert, Randy Franklin Smith.