The following is a guest post by Matt Wilgus, Technical Services Practice Manager for VeriSign’s Global Security Consulting group.

While the aforementioned question rarely gets formally asked, it is a decision information security offices deal with all the time. Often the security office also handles compliance initiatives. Given the limited resources, is it better to comply with requirements, if the opportunity cost is investing in a project which could bolster security, but not meet compliance initiatives?

Peta - Golden Mask, by pareeerica

Peta - Golden Mask, by pareeerica

If an organization is secure than the organization should likely appear secure; however, this is not always the case. The extent an organization is secure is open to perception and often boils down to risk tolerance and risk acceptance. However, what really drives tolerance and acceptance? An understanding of the business environment is the primary driver, but legislative and regulatory standards also come into play. These standards mandate organizations implement a certain level security in order to conduct business. Organizations deploy a combination of qualitative and quantitative methods to determine if they can accept the risk in a network, application or environment. Third parties also use similar methods to determine the security of an organization.

Over the past 15 years there has been plenty of legislation and regulation to bolster security in nearly every industry (e.g. HIPAA ’96, GLBA ’99, CISP ’99/’04 PCI, NERC ’03) and nearly all companies face some compliance requirements. Some of the regulation focuses more on privacy than security; however, there are plenty of commonalities. Additionally, there are federal and state related security standards (e.g. FISMA 800-53, SB 1386) and independent programs from the ISF, ISACA, ISO, etc.

The aforementioned items have improved security and generally set a decent bar, but many argue that organizations now only attempt to meet the standard. If compliance requirements didn’t exist, most organizations probably would not have better security than they do today, but some would. If compliance regulations did not exist, security could become a differentiator amongst competitors. There could be a free market on security standards. One benefit would be an organization could better quantify what a security feature is worth, rather than being seen as a cost of doing business.

So it is a decision time between two solutions. Invest in Solution A with excellent coverage on compliance, but provides little in terms of additional security benefit, or invest in a Solution B with little compliance relief, but dramatically improves the quality of security? The security purest would choose the latter; however, doing so probably underestimates the “consider yourself accountable” effect (a.k.a. CYA). It also underestimates that not meeting compliance regulations creates a never ending project.

For the few organizations not governed by any regulations (i.e. those cash only, privately held, single employee entities), try to be secure. For all others, appearing secure may be good enough.

This post originally appeared on