Compliance, Audit and You

I love compliance, however I personally don't enjoy complying however (it's the Libertarian in me). I love aiding people and organizations in understanding compliance initiatives and their relevance to business which ultimately influences the quality of life you and I enjoy in one way or another. I love discussing and strategizing convoluted risk based frameworks wherein one can account for various and sundry policies, regulations, standards and laws and still maintain and ensure an optimized operational security model. That is and will always be a passion of mine stemming back to my earliest days in this industry while in the military and on through my many years in management consultancy work. I love Audit too. That's right I said it. I love conducting audits and inquiries into how and why businesses elect to do what they do while ensuring things are done in a secure manner. I love verifying controls (manual or programmable), while cross referencing internal and external controls in order to look for discrepancy. Additionally, I love working with organizations to amend those areas which are they are found to be lacking in.

Auditing and assessing are key factors in ensuring compliance, I believe that goes without saying. They are the tools used to verify the statements asserted by organizations about how they govern their enterprise, to what to degree and for what ultimate goal / outcome. So why is it that so many in the industry view them as being hampers to their jobs and points of grief? Often you'll see (whether in blogs, or in print or on panels), people speaking with disdain regarding compliance and audit initiatives. That ramble on about them as though they were some looming evil on the event horizon for which they must gird themselves or face eradication. It is an over dramatization to say the least, and a gross demonstration of intellectual dishonesty to assert these things (compliance initiatives, compensating controls, grc, etc.) are "stupid" or "lame" or not important. I feel as though these folks are missing the big picture with respect to the role and importance of this type of work. It's necessary and its not going away. You can look to append blame on various parties but in the end what matters is performing the due diligence required to not only meet the expectation of the governing bodies and auditors but also to ensure that the environment is secure with respect to people process and technology.

And what about you? Will you allow yourself to be swept up in the madness that is being espoused by some regarding compliance and audit. Viewing these activities as painful, gut wrenching wastes of time, or will you too champion the importance of such initiatives and activities thusly aiding bringing about a new era of maturity and awareness in the information secuirty community. The choice is yours...and mine!