Boardroom Conversations on Security: Part 5

Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.

"Erkang, one of your most public positions is 'Compliance does not equal security.' What do you mean by that?"

Erkang Zheng

I've been saying that since my IBM days! It is actually one of the reasons I ended up building JupiterOne. Because the more I said it, the more I was like, “Oh my God, there's something wrong with that statement.” It is the reality. However, the thing that is wrong is how we approach and how we practice compliance. How we traditionally practice compliance is the auditor comes in, checks the box, and they go away and come back next year. This type of approach is the cost of saying that compliance is the same as security.

If we flip that around, and if we say, “Let's look at operational security as a day-to-day practice and compliance as an automated outcome of that.”, then those two things can be one and the same. That's sort of the holy grail of any security program. You want security and compliance to be one and the same things and not different.

Enrique Salem

If you look at most mature companies, they usually have some division in the roles. If you think about it, my public companies have somebody who is, I will call the CISO, the Chief Information Security Officer, or the Chief Security Officer. But then they usually have somebody who is focused on the compliance side of the business. They may have a Chief Compliance Officer. The bigger companies have both roles, and they're not one-in-the-same person.

Erkang Zheng

Do you see that changing, Enrique? To some extent, we will continue to drive the challenge of those two being separate and disconnected.

Enrique Salem

Should they be separate? That's an interesting question. Should they leverage the same tooling? Absolutely. Where you get yourself in trouble is where the compliance team is using a very different set of tools than the security team. As much as possible, we should be thinking about evidence collection and other things in a consistent way. Both need many of the same data, both groups. It would really be a shame if they don't work closely together.

Can I see a place where compliance and security work together? I would say, absolutely, but let's not lose sight that there's a lot of differences in what they have to do and look at. But again, I want to make sure they use the same tooling. It would really be a shame if they don't.

Erkang Zheng

That's an awesome point. It’s not about the separation of the roles, because there are needs for that. It's more about having access to the same tooling and data to come to the same conclusions.

Continue reading with Boardroom Conversations on Security: Part 6, or download the entire series for easy distribution to your board and security team. 

Read the full Boardroom Conversations series:

About Enrique Salem

Enrique Salem - 300 x 300Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama’s U.S. President's Management Advisory Board.  Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.


About Erkang Zheng

Erkang ZhangErkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report



Posted By Mark Miller

Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future", and the popular "Epic Failures in DevSecOps" series.

Mark actively participates in the DevSecOps and cybersecurity communities by producing DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the former Senior Director of Editorial Strategy and Content at JupiterOne.

As well, Mark is Executive Producer of the OWASP Podcast Series (500K+ listens), and the Executive Editor of the LinkedIn DevOps Group (125K+ members).