Regulatory compliance is no guarantee of IT security

1 min read

Reports that some companies experiencing data breaches were PCI-compliant demonstrates that, even if they pass regulatory tests, IT security system integrity is not guaranteed.

"Complacency is the IT manager's worst enemy, especially when it comes to IT security," comments Reuven Harrison, security lifecycle management specialist Tufin's chief technology officer. Harrison makes the point that, if senior managers can become frustrated with an IT architecture, then the same thing can happen further down the management chain. And when that happens, he says, the firm becomes a breeding ground for IT workarounds that allow staff to work more efficiently, but also allow them to circumvent their own security systems. Having systems in place that check any and all IT security configuration changes for compliance with corporate policies, says Harrison, is rapidly becoming a critical competent of an efficient security regime. "Regulatory compliance and best practice certifications are excellent indicators of management quality, but when it comes to security, the acid test is whether multiple layers of security are installed, and are reviewed – as well as tested – on a regular basis," he says.