When are IT executives as well as the analyst community going to recognize that compliance and security need to be tightly integrated and based on risk management discipline in order to achieve corporate governance objectives?

Surveys of IT executives have found that a large percentage of CIO’s believe that there is a “tug of war between satisfying regulatory requirements and handling IT security”.

In the May 8, 2006, Line56 article entitled Compliance and Security, Demir Barlas also states that “We've known for a while that meeting regulations (e.g. Sarbanes-Oxley and HIPAA) can be financially draining on enterprises, but the Getronics survey calls attention to underlying security issues. IT organizations are limited in what they can achieve, and too much compliance work can take away resources from mission of securing the enterprise.”

Compliance and security activities should always be driven by the risk that is inherent in an organization’s business processes.Without a risk based approach, the pointing of the “budgetary” finger between security and compliance functions will undoubtedly continue.

The concept of “Integrated Security” is founded on the premise that organizations should analyze risk at an enterprise level and a control framework should be implemented that addresses or mitigates those risks.When properly identified and analyzed, the focus of investment or budgetary support will be driven by where the risks are greatest.

When risks and controls are poorly designed and implemented, there is considerable waste that occurs in reviewing, testing and remediation of procedures that are also poorly designed and implemented.