To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life.
An elderly man falls off of a subway platform and onto the train tracks. A stranger pulls the man to safety while the train screeches to a stop. Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.” Now, what does this story have to do with compliance? What is compliance?
According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements. It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.” For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.
The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities). Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment. Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats. Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems. Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems. Why? Because experience and intuition told us that it was the right thing to do.
Today, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities. In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right. In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.
When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting? Of course not! He just does what is right, even if difficult or expensive. In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.
Alex Naveira, CISSP, CISA
Director, ITGA & CISO
Miami Children's Hospital