We repeat “Security ≠ Compliance” so often it’s become our mantra. Does anyone pay attention to it anymore? We’re unpacking our compulsion to keep saying it on the latest episode of CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Chris Hymes (@secwrks), head of information security, enterprise IT, and data protection officer, Riot Games, makers of League of Legends.

Thanks to this week’s podcast sponsor Expel

Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24×7 monitoring through its security operations center-as-a-service, using the security tools customers already have.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everyone talking about this now?

On LinkedIn, Omar Khawaja, CISO, Highmark Health, argued that every time a security person repeats the “Security does not equal compliance” trope, it translates to a belief that compliance is useless. This caused a flurry of discussion. Is compliance useless? If not, Omar asks what should “Security does not equal compliance” be replaced with? Essentially, how should compliance be viewed in an overall security program?

Ask a CISO

Scott Holt, sales engineer, cmd, asked our CISOs how they’re balancing keeping their information and infrastructure private while at the same time working with vendors to fill security needs?

“What’s Worse?!”

We’ve got a question based on the build vs. buy debate.

Hey, You’re a CISO, what’s your take on this?

Paul Makowski, Polyswarm, asks a question that’s very relevant to their business. He said, “Enterprises often subscribe to multiple feeds [of threat intelligence]. They learn their strengths and weaknesses and develop weighting algorithms to divine highest quality intelligence in the context of what’s being analyzed. How can the industry close the feedback loop with threat intelligence providers, providing them with an opportunity to improve coverage and efficacy (false positive / false negative rates)?”

The Shared Responsibility Model for cloud is, as Amazon and others describe it, the difference between the “security OF the cloud” and “security IN the cloud,” with cloud service providers taking care of the OF, and clients taking care of the IN. “In the cloud” means the data, the access – especially guest access, and the usage.

Newer, serverless computing methods tends to obfuscate the model somewhat which puts more onus back on client security professionals. Ownership of security is a critical blind spot. Corporate security teams and cloud service providers need to have some clear and regular communication about this, since changes and convergences happen with alarming frequency.

A recent Gartner report suggests that over the next five years, at least 95% of cloud security failures will be the customer’s fault. When you think about far reaching data privacy legislations like GDPR now in force, this places the requirement of securing personal data back in the data owner’s corner.

With no disrespect intended toward cloud service providers, it’s best to assume they can and will take care of the minimum requirement of security measures.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Close your eyes. Breathe in. It’s time for a little security philosophy.

Steven Trippier, Group CISO, Anglian Water Services, asked, “What are the right metrics to use to illustrate the success / performance of the security team?” We’ve asked this question before and one of the most popular answers was “mean time to identify and remediate.” But here’s the philosophical question that Steven asks, “How does this change in an environment where breaches/malware outbreaks are uncommon and stats such as mean time to identify and mean time to contain are not relevant?”