Posted on March 2, 2015 by ashley
Wes Withrow, IT Security Expert
At some point in every IT security professional’s career they will be asked their opinion on the merits of compliance and how soon it will be before compliance frameworks get to the point that organizations are “hack proof.”
The response almost invariably goes like this: “Compliance isn’t perfect but at least it’s forcing us to talk about security. Nothing is hack proof unless it’s powered off, unplugged from the network, and destroyed with hammers. Even then your data probably got synced to your fridge without you knowing.”
This provides us the window of opportunity to explain the difference between being compliant and being secure. Compliance and security weren’t designed to be packaged and sold as the same product. Somewhere in the chaos of the last decade it was falsely ingrained in people’s minds that companies who protected their data with compliance-driven security programs were immune to cyber breaches.
Moving Beyond Compliance-Driven Security Strategies
Compliance-driven security is a strategy that is less concerned about improving the security posture of an organization and more about quickly “checking the box” to keep regulators at bay. It’s the “D minus” equivalent of passing the bar exam and telling yourself that you’re a great attorney now that you’ve passed.
The alternative solution that is gathering momentum is a risk-based approach to security. This is the practice of embedding IT security within the organization as a process and not as a checklist. Organizations who practice risk-based security continuously identify, evaluate, prioritize, and balance risks as they change over time. Compliance never goes away with this approach; it just gets folded into the process.
Compliance historically has been viewed as a painful activity that companies responded to with a “one day of the year” mindset that usually involves a lot of scrambling to figure out the most basic information about their networks. In contrast, risk-based security has been looked at as the ongoing process that addresses the rest of the 364 days of the year. Being compliant becomes a byproduct over time that eliminates the scrambling.
Heightened Visibility Changes the Security Perception
Why does it sometimes feel as if the state of IT security has gotten worse since compliance came around? It’s not that it’s any worse; it’s more of a case where the gaps in IT security are being exposed in alarming ways that now have the attention of everyone.
To understand it more clearly, let’s first wrap some historical context around why compliance frameworks exist and then discuss a major contributing factor that continues to widen the gap between our compliance and our security.
Legal and regulatory compliance frameworks usually originate from necessity. That necessity usually surfaces as the result of an extraordinary event or trend whose catastrophic failure is rooted in a “not my problem” mentality that won’t fix itself. (Whether we agree on the effects of regulation or not is not the purpose of this discussion; let’s agree that this discussion is about the necessity of security and not how to perfect it.)
IT security mandates were never meant to act as a blunt instrument of oppression; they were designed to act as the subtle nudge to the industry to point out the obvious: the cost of inaction will always outweigh the cost of action.
For years compliance-driven security initiatives have been shuffled to the bottom of the deck of priorities while companies weathered the economic recession. When organizations were told that they had to take “reasonable and appropriate measures” to secure their data, “reasonable and appropriate” was interpreted as a battle-cry that was conveniently favorable to not doing much at all. Herein lies the primary problem as to why compliant and secure are not equal.
Offensive Capabilities Prove to Be a Business Inhibitor
Shifting gears away from the historical view to a more strategic view, the widening gap that exists between “being compliant” and “being secure” exists because most nations have been focused on developing their offensive capabilities (e.g. infiltration, espionage). It has been an all-hands-on-deck focus on supporting a digital arms race where attacks are developed, deployed, and many times knowing that there’s almost always collateral damage as a result.
The odd phenomenon about a compliance-driven or reactive strategy is that the trickle-down effect that provides some military or economic advantage is often times wiped out by the collateral damage inflicted on everyone. That’s the nature of a pure offense in this game.
It’s somewhat analogous to high scoring football games. In football, a hurry-up offense is a fast-paced strategy where the team with the ball runs plays in rapid succession with the goal of outscoring their opponents through pure offensive dominance. Fans whose teams run hurry-up offenses love the games they win and are miserable during the games they lose. When your offense scores 65 points a game and your defense gives up 66 points a game, you always lose. The loss almost always seems inevitably scripted with a rough ending.
The approach to cyber is similar in the sense that the world’s most powerful nations have been running hurry-up offenses against each other for years with little focus on defense. This run-and-gun digital arms race has resulted in an unbalanced scenario where the game clock never stops and the defense never has time to catch their wind. The focus on offense advances so quickly that collateral damage inflicted on your own team is an expected outcome of a good game.
Cyber attacks have had some benefits though, albeit very few up until more recently when compliance penalties caused financial impact. Without the financial penalties associated with breaches, there’s little to no incentive for spending on security and an even lower threshold for reporting on what happens when companies get breached. Our response when compliance is inadequate? Apply more compliance of course.
Hyper-Compliance Bridges the Gap
Hyper-compliance is a relatively new term applied to an era that we’ve just begun to embark upon. This era is characterized by the fast-paced acceleration of pressure on businesses to secure data by both regulators and customers to the point where people become so overwhelmed with how to respond that they lose focus on why they are responding. It’s part frustration and part confusion.
For example, what regulations apply to our company now? What regulation trumps the other? Who is more important, PCI-DSS or GLBA? The list of questions goes on in an infinite loop.
The era we’re facing is less about major rewrites of compliance frameworks and more about rapid enforcement and change to how companies approach IT security. Regulations that were once avoidable and unenforceable will now be mandatory and applied more liberally than in the past. The business-to-business risk evaluation process that companies didn’t have to address in the past will be implemented in contract vehicles and new service agreements in the future. Again, view this as positive but painful change.
The list of changes over the horizon goes on and on, most for the better and some for the worse. Albeit painful at times, this type of vigilant compliance with an increased focus on security will help bridge the gap between people’s understanding of what being compliant versus what being secure means.
See Wes’ article above published in Help Net Security’s March 2015 edition of (IN)SECURE Magazine here.