Compliance versus Security 2
See previous article: Maturing from compliance to security
Proactive: Plan ahead, think through what issues may come up, and put in the effort on the front end to reduce unexpected issues. This allows fewer surprises down the road and higher quality product the first time. But the up-front work is more resource intensive. Proactive work requires planning and spending for things that may never happen.
Reactive: Create your product with only the features and functions that are required right now. This is faster and easier than proactive work. It’s much more cut and dried. But the lack of foresight may end up requiring significant duplication of work down the road.
A reactive organization creates its security program based solely on complying with a certain regulation or passing a particular audit. This organization takes a point in time snapshot of regulations and sets that as a target for their program.
Proactive organizations craft programs based on both current requirements and projectable future requirements. To be clear, this does not mean they forego building in features to meet compliance requirements. On the contrary, those requirements will be one of many ingredients. But the proactive organization is also looking toward what it coming down the road, what their peers are doing, and where the attackers are coming from.
Example: PCI-DSS does not specifically require encryption of data at rest. They do require that all cardholder data be protected (Requirement 3) and that, if the primary account number is stored, it must be truncated, hashed or encrypted, but a merchant can decide not to store the data and avoid having to encrypt data at rest. A reactive organization might give a sigh of relief and leave it at that. But a proactive organization should spend some time considering this, especially as they are creating a new IT system. What is the cost of implementing encryption of data on the servers? What would the scope be? What is the impact of not storing the account number? By performing that analysis they change the decision from a Compliance mindset to a Security mindset, with a focus on the business itself.
A reactive company, just trying to achieve their PCI compliance, will be happy to finish the checklist and call it done. A proactive organization will seek out what else is going on in the world of security. As a private company they wouldn’t be subject to Sarbanes Oxley, but a proactive security practitioner might look to implement SOX safeguards for two reasons. First, the minimum requirements for PCI-DSS are bound to change as technology changes. By looking to other InfoSec the proactive organization can position itself for the changes to their regulations. Second, the organization may someday decide to go public. Having built-in those SOX protections from the beginning will reduce the work-load during an IPO or acquisition, a time when resources are generally at a premium.
A proactive company will keep an eye on what the bad guys are doing. If the InfoSec standard you follow says you just need a firewall but you find that your employees have been setting up unprotected WiFi on your network, and all the folks at the coffee shop next door have been surfing your network, your company’s needs just changed. The nature of your industry, company and the technologies you utilize will determine the nature of the attacks against you. You cannot depend on a framework or regulatory agency to know what threats are most dangerous to your company. Self awareness and active monitoring are needed.
Considering whether your organization is proactive or reactive is a great start. But it’s not the end. An organization that is proactive one day can become reactive the next as new business pressures emerge and new priorities are assigned. It takes diligence from each level of the organization to keep a proactive security posture. If you want to read more about enterprise security maturity, see McAfee’s maturity model.
Connect with Robb on Google+