Previously in this space I’ve talked about how compliance is the enemy of security. Or more accurately, focusing exclusively on compliance is the enemy of security. I will not go into detail on that subject today, for my previous thoughts see this and that. This week, instead of discussing what’s wrong with that mindset, let’s discuss how a security-focused philosophy can lead to success.
The goal of information security is to preserve the confidentiality, integrity and availability (CIA) of our systems and data. It is essential that we keep those goals in mind rather than trading in the CIA triad for a shiny “Certified!” logo on our site. The proper execution of a CIA-minded security plan should result in regulatory compliance, but also so much more.
Think of security as the college education and compliance as the diploma. Some college students strive to learn and experience as much from their time in school as possible. Others see college as simply an expensive and time consuming way to get a valuable piece of paper. Those who seek only a diploma will do the minimum amount of work and research required to receive passing grades. At the end both students will walk away with a diploma, but only one will have the depth and quality of knowledge that will lead them into a successful career in their field.
You Are the Expert
You know your organization better than anyone else. This goes beyond just your knowledge of the systems topology, it includes details on the market and economic risks of your organization, as well as details on what kind of attacks people would likely launch against you. This provides you the unique ability to craft your security plan to your organizational needs. No certifying body can properly capture the complexity and needs of your organization. You are the expert on your company.
A company’s information security department has the ability to operate nimbly. Compared to the certifying bodies that govern information security standards, your relatively small staff can determine new needs and implement change much closer to real time. This gives your organization a huge advantage in the fight to stay secure, and is another big reason that CIA based security will protect your organization better than adhering to a security standard. A security standard has to go through committees, revisions and massive QA before it can be released to the public. By the time they’ve updated their requirements the relevant vulnerability may have already struck.
By implementing defense in depth strategies and targeting your safeguards specifically for your environment, you can greatly reduce the chances of being affected, even by those scary “Zero Day Attacks.” Nobody knows when a new IIS or Apache vulnerability will be discovered, but by adding security measures like web application firewalls, and requiring SQL stored procedures, we can reduce the impact the vulnerability will have on our infrastructure. Perhaps even eliminate the vulnerability altogether.
Working from a security-centric mindset allows you to be proactive. It ensures security concerns are addressed from the very beginning of system design. In addition to being more secure, it helps avoid expensive and disruptive audit findings down the road. Audit findings which usually lead to hurriedly implemented bolt-on security that is more expensive and less effective than properly implemented safeguards.
Part of proactive planning for your organization’s security is knowing the regulations with which you must comply. Include these regulatory obligations in your system requirements documentation early on. If you’ve been following the concepts of self awareness and forward thinking, you should find that the vast majority of safeguards required by the regulation are already on your list.
Many times in life we have the opportunity to either do what’s right or to settle for appearing to do what’s right. Fortunately, in enterprise information security what’s right also corresponds with what is least expensive and most effective. We must not settle for being compliant when being secure is an option.
Connect with Robb on Google+