SIDEBAR

Regulatory driver

There's nothing like a regulation to help justify security expenditures. Nothing shapes a funding argument quite so well as the threat of fines, jail or marred reputation resulting from regulatory noncompliance.

However, IT has to be careful about how hard and how often it pushes the compliance button. One reason is that organizations are increasingly appointing people specifically for that job, and IT should work with them -- as well as with the legal department, auditing and internal risk management -- and base security investments on the decisions that come out of those bodies.

"I've had feedback that it sometimes looks like IT or the security department is the tail trying to wag the compliance dog," says Tom Scholtz, an analyst at Gartner . "IT should be a key partner but shouldn't hijack the debate and lead the effort." In particular, Scholtz warns, don't use compliance as an excuse for security projects that otherwise wouldn't have been justified.