"If you're impacted by HIPAA, you must have a comprehensive security program -- including risk assessment, policy development, controls, and monitoring and responses processes -- in place. But if the main concern is SOX, you'll be strictly responsible only for security around particular, auditable processes. Here's an opportunity to act broadly, extending SOX-driven security infrastructure and consulting spending to categories not covered by the audit.
In other words, spend once on developing a risk management and control infrastructure for security and then derive multiple benefits, for example by meeting compliance and catching low-level, non-SOX fraud at the same time.
After taking the right approach, says Hellman, there will scarcely be a distinction between compliance and security success: "It's incredibly intertwined. Compliance is an overlay over your security processes."
As the writer points out, this is an approach, not a solution, but the whole idea of integrating your security and compliance efforts makes so much sense. Too many systems have a network, with some kind of database tacked on, and glued to that some security that accreted through responses to the last five attacks, and then some sort of compliance procedure melded together by the IT and legal department. When they finally call someone like me, the mare's nest is nearly inpenetrable, filled with sacred cows, and the whole thing has cost 3 times what it should.