The Risks of 'Security by Compliance' - Interview with ISACA's John Pironti

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Regulatory compliance is the backbone of a financial institution's information security program. But compliance alone isn't enough, says John Pironti of ISACA's Education Board, who advises institutions to take a risk-based, not a "checklist-based" approach to security.

In an exclusive interview, Pironti discusses:

In addition to his role with ISACA, Pironti is currently the Chief Information Risk Strategist for CompuCom. He has designed and implemented enterprise wide electronic business solutions, information security programs, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, government, hospitality, aerospace and information technology on a global scale. Pironti has a number of industry certifications including Certified in the Governance of Enterprise Information Technology (CGEIT) Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Information Systems Security Architecture Professional and (ISSAP) and an Information Systems Security Management Professional (ISSMP). He is also a published author and writer, and a frequent speaker on electronic business and security topics at domestic and international industry conferences.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group, revisiting today with John Pironti, Chief Information Risk Manager with CompuCom and a member of ISACA's Education Board. John, it's been about six months since we've spoken, it's good to talk to you again.

JOHN PIRONTI: Good talking to you, too, Tom.

FIELD: Here we are, year-end, going into 2009, and it has been an eventful year for one. What would you say have been the three greatest risk management and compliance issues that you've seen this year?

PIRONTI: You know, Tom, I think that is a great question. I think that the most interesting challenge we've faced this year is understanding what should we do first, what should we go after first. A lot of people are actually spending time working on compliance activities more than they are working on risk management security activities due to the release of the new PCI standards and some of the enforcement of PCI, as well as the data breach laws that keep growing in the United States, and the understanding that there now are global laws that need to be deal with as well like the E-Data Privacy and Data Security Acts.

So people are really starting to line up around the idea of trying to do what they think they have to do to make these external audiences, like the examiners and the regulatory agencies, happy and not so much focused on their internal risk-based approach to understand what they really should be doing to protect themselves appropriately.

FIELD: Now John, before we got on the phone you mentioned to me the topic of security by compliance. Could you explain what you mean by that.

PIRONTI: Absolutely. This is actually one of my biggest concerns right now in the industry on a global scale. We are spending a lot of our time in organizations focused on trying to meet the needs of regulatory or industry standard requirements. So we have regulations, and in this case industry standards such as the payment card industry standard, which has very explicit and very definitive technological requirements that organizations are expected to meet if they are handling card data; credit card data that is.

So a lot of organizations are spending their time, resources and efforts focused on meeting that checklist or developing checklists from the BITS groups from their FISAP conversations for vendor compliance. They are trying to make sure they are meeting all of the needs of the FISAP requirements, and they are not necessarily taking a risk-based approach that says what is really important in [their] world.

They are not feeling threatened on the analysis. They are not doing appropriate risk management and risk assessment. They are saying 'If I do the checklist, then I must be okay,' and that is really not a good idea. Because the checklist really only gets you part of the way there. It does establish a nice baseline. It does force us to do certain things better than we were doing before in some cases, but it also gives the adversary community a roadmap of what are you doing and where are you spending your time and where are you spending your resources, and they know that, and they are not going to hit you there.