Security compliance: The next frontier in security research

Practitioners as well as researchers have repeatedly deplored that IT security research has failed to produce practical solutions to growing security threats. This paper attributes this failure to the fact that IT departments no longer invest in security as an ideal. Rather, money is being spent on technologies that enable compliance with security requirements. Academia has not embraced this shift in perspective and still tries to "sell" security when organizations seek to "buy" compliance. This disconnect has lead to research that fails to improve real-world security because it is not embraced in the market place. The conclusion drawn in this paper is that academia needs to complement current security research by additional research into security compliance. To encourage more work in this relatively new direction, the paper describes the major compliance research challenges that await solutions. Copyright 2008 ACM.