Regulatory ‘compliance’ – it’s a dirty word in business today. Perhaps that’s because we’re being force-fed more and more rules that various governing bodies believe are the best ways for us to run our businesses. Regardless of what side of the government growth – and IT governance – equation you’re on, IT compliance is here to stay. It’s up to you to figure out to how make it work best for your business.
An interesting thing I’m seeing related to application security is that compliance is often overlooked, sometimes completely ignored. Be it in the SDLC, pen testing, product marketing, customer service – you name it – discussions about compliance just aren’t taking place the way they should be. The thing is, when we get caught up in our own world of application security and nothing else, it’s hard to see the bigger picture. That is the good, the bad and the ugly of what the business is truly facing in terms of IT overall. It’s easy to hide under the appsec umbrella and deal with all things technical while someone else at a much higher level can figure out all that compliance junk. At least we think someone’s handling it.
Many developers I work with aren’t in tune with compliance regulations whatsoever. Okay, maybe PCI DSS. But mention HIPAA, HITECH, GLBA and so on and there’s rarely a connection. The same goes for many DBAs and network administrators. Even certain IT managers are out of the compliance loop. Is the lack of compliance insight the fault of each and every one of these people? Not really, at least to an extent. I do think there’s a level of personal accountability required but no amount of it is going to compensate for a lack of support from the top.
It’s as simple as this: if you don’t have all the right people in your business doing everything that’s needed for compliance then you’re going to have compliance gaps. It’s like getting a plane off the ground. The gate agents, pilots, ground crew and even the people responsible for snacks and cleaning the lavatories all have to pull their weight to ensure everything’s in check and the flight will be successful. Be it for an airplane or for IT compliance, if one single person doesn’t do everything in his or her power to do all he or she needs to do then it’s simply a matter of time before something happens.
Compliance complacency in and around application security provides some interesting insight into the state of security today. Do what you can to get the right people on board and make things happen. Especially avoid the situation where any one of your key employees or contractors is not carrying his own weight, working by the mantra “That’s someone else’s job.” Everyone involved with application security is somehow responsible for compliance. Developers, network administrators, pen testers, DBAs, product managers, QA professionals…everyone.