Boardroom Conversations on Security: Part 5

By

Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.

"Erkang, one of your most public positions is 'Compliance does not equal security.' What do you mean by that?"

Erkang Zheng

I've been saying that since my IBM days! It is actually one of the reasons I ended up building JupiterOne. Because the more I said it, the more I was like, "Oh my God, there's something wrong with that statement." It is the reality. However, the thing that is wrong is how we approach and how we practice compliance. How we traditionally practice compliance is the auditor comes in, checks the box, and they go away and come back next year. This type of approach is the cost of saying that compliance is the same as security.

If we flip that around, and if we say, "Let's look at operational security as a day-to-day practice and compliance as an automated outcome of that.", then those two things can be one and the same. That's sort of the holy grail of any security program. You want security and compliance to be one and the same things and not different.

Enrique Salem

If you look at most mature companies, they usually have some division in the roles. If you think about it, my public companies have somebody who is, I will call the CISO, the Chief Information Security Officer, or the Chief Security Officer. But then they usually have somebody who is focused on the compliance side of the business. They may have a Chief Compliance Officer. The bigger companies have both roles, and they're not one-in-the-same person.

Erkang Zheng

Do you see that changing, Enrique? To some extent, we will continue to drive the challenge of those two being separate and disconnected.

Enrique Salem

Should they be separate? That's an interesting question. Should they leverage the same tooling? Absolutely. Where you get yourself in trouble is where the compliance team is using a very different set of tools than the security team. As much as possible, we should be thinking about evidence collection and other things in a consistent way. Both need many of the same data, both groups. It would really be a shame if they don't work closely together.

Can I see a place where compliance and security work together? I would say, absolutely, but let's not lose sight that there's a lot of differences in what they have to do and look at. But again, I want to make sure they use the same tooling. It would really be a shame if they don't.

Erkang Zheng

That's an awesome point. It's not about the separation of the roles, because there are needs for that. It's more about having access to the same tooling and data to come to the same conclusions.

Continue reading with Boardroom Conversations on Security: Part 6, or download the entire series for easy distribution to your board and security team. 

Read the full Boardroom Conversations series:

About Enrique Salem

Enrique Salem - 300 x 300

Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama's U.S. President's Management Advisory Board.  Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.

 

About Erkang Zheng

Erkang Zhang

Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report

 

Mark Miller
Mark Miller

Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future"

Keep Reading

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

Best of Cyber Therapy, Season 1
January 25, 2023
Blog
Best of Cyber Therapy, Season 1

Take a look at the top 5 episodes from Season 1 of Cyber Therapy, a video podcast featuring the humans of cybersecurity!

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.