Maturing from Compliance to Security
How IT’s compliance mindset would look in another setting:
“Waiter, there’s a fly in my soup!” – patron
“Let me take care of that for your sir” – waiter, as he reaches into the soup to remove the fly
“Well, the soup looks fine now. Thank you.” – patron, as he digs in
In the world of Information Security, compliance rules with an iron fist. For InfoSec professionals in the health care industry, data must be stored and secured according to HIPAA guidelines. For those in finance, GLBA rules. For those who handle credit card info, PCI-DSS is in charge. For all public companies, SOX is king. The specific rules for these industries differ but the consequence of failure to comply is the same across them all. If you do not follow the InfoSec rules for your industry you will start by receiving fines, in the end you will be put out of business.
InfoSec professionals can make a very nice career for themselves by becoming well versed on the specifics of a data protection regulation. Companies spend billions of dollars a year to achieve compliance with the standards governing them. Certainly nobody can blame them for striving to achieve compliance. We cannot do business without it. But does compliance mean we’re secure?
The most high profile hacks in recent history were performed against PCI compliant systems. The Heartland fiasco was performed against a company who could put their check in the correct box on a PCI checklist. That didn’t prevent the breach. Nor the countless others before and since. So what were these companies doing wrong?
When you set your goal at “achieving compliance” whether it’s to PCI, HIPAA, ISO27001 or any other standard, you are settling for “good enough.” You are using someone else’s bare minimum standard for acceptability as your end goal.
Compliance will never bring security. No checklist or audit, regardless of how many agencies approve it, can account for all the ways vulnerabilities can strike in your specific environment. No governing body can foresee the ways your organization will need to defend itself in the future. As long as compliance is your end goal, security will never be achieved. Much like the fly in the soup, your organization may look clean, but that’s where it will end.
Compliance forces you to permanently work in a reactive mode. While the main objectives for our industry standard regulations do not change often, the specific checklist items that auditors are looking for frequently do. As auditors start adding new requirements to their lists you are continually forced to react and build ,or buy, bolt-on solutions that will get you through yet another audit finding, but can’t get to the heart of your vulnerabilities.
Finally, compliance leads to security breaches. When an organization aims for compliance rather than security, vulnerabilities are the eventual outcome. Data protection standards are notoriously slow in incorporating new safeguards to defend against new hacker techniques. Those who do the bare minimum to achieve compliance will be among the first to become victims of new zero-day attacks.
Organizations who focus on security will inherently achieve compliance. If you consider security throughout a systems’ lifecycle, continually run risk assessments internally (formal or informal) and allocate sufficient resources to security initiatives, compliance to regulations is not a challenge. Drive security into systems as early and as integrally as possible.
Just as we won’t settle for having the fly removed from our soup, we should not settle for security policies that just get us through an audit successfully.
Connect with Robb on Google+