In 2008 I wrote a book, partially on the premise of cross mapping regulations together in a manner to build a common control framework for enterprises. The genius here was to address all requirements placed upon the business to meet their unique security and regulatory footprint. The more and more I work with senior leadership of businesses and security professionals I recognize there is a gap. The security professionals pushing for tighter and richer security safeguards, and the business seeking sales.
Upon reflection I realize that there is a gap in the broader approach and a blind spot that I and others likely have in enterprises, and that is the customer requirements.
Specifically, the cross mapping I proposed is correct but it did not go far enough, and from my analysis nobody goes far enough. Therefore I would propose enterprises and security compliance programs in general consider expanding their programs to include Market requirements.
The mapping would be from customer requirements (such as SEC, IRS, and specific industry best practices) to the security controls of the business itself. This would influence and ultimately increase the security of the service. In addition, sales blockers would be removed and ongoing associated costs with maintaining accounts would equally be reduced.
A common statement / question: What are all the things we need to compliant with in the world?
Corrected question: What do our clients need to be compliant with when using our services?
(the first question absolutely must be understood and ideally is a known variable, so this corrected question is the evolution of thought and the program itself)
A shift in my thinking over the past year, and one I hope can be further debated and evolved.