Compliance warrants inclusion in the CIA model in that it's top of mind at so many organizations. In fact, every company for whom I do a risk assessment is more concerned with compliance than with security. There's a big difference between security and compliance. For example, compliance with a regulatory password policy might require that passwords be complex and at least 6 characters long. But if I were to recommend that passwords be noncomplex and a minimum of 15 characters (that is, passwords that are orders of magnitude stronger), the organization would have a more secure password policy, but not a compliant one. In nearly every case, compliance wins.
I can't blame IT departments for choosing compliance over security. It's great to have both, but your paycheck (and job security) will be determined by the former before the latter. After all, every company that gets hacked can always tell shareholders, "We were fully compliant with all existing regulations" and thus escape some scrutiny and legal blame. But if you were to opt to be more secure at the expense of compliance, your company would likely face a shareholder lawsuit -- even for the same hacking incident. Don't you love how the world works?
In addition to compliance, security professionals now must consider privacy at all times. All websites must now declare how much personal information they record and share. This poses a serious challenge for organizations like Facebook. Nearly everyone loves and uses the social-networking site, though Facebook continually steps on users' privacy toes as the company tries to maximize profit. A lot of writers dog Facebook for that, but the company has to make a profit to pay the bills. I'm not saying every decision Facebook makes is perfect; some of them I certainly don't agree with. But even the coolest, most usable sites are struggling with what privacy means. The fact that rules are different from country to country doesn't make the balancing act any easier.
Speaking to the topic of the consumerization of IT and allowing employees to use their own computing devices, one Fortune 100 CIO said to me, "I've got the security issues handled; it's the privacy issues that keep me up at night."
The challenge here is that if IT manages employee devices to ensure acceptable security, but in doing so discovers personal information, all sorts of privacy laws automatically apply. Neither the organization nor the affected employees may be aware of the privacy violation. Perhaps it isn't even considered a privacy violation in some countries. If management isn't aware of the privacy violation -- that is, none of the technical people involved are aware or didn't notify them -- how hard can we come down on management?
For all of these reasons, I think it's time CIA morphed into CIA+CP, PIC2A, or whatever. Both topics are important enough that they need to be recognized and analyzed on their own.
This story, "Security alert: Why compliance and privacy matter," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.