Compliance does not equal security
Buy these widgets. Write these policies. Be compliant. Be secure.
While certain industry bodies set specific cybersecurity standards and requirements, following them is not enough to protect your organization from cyber attacks and to achieve resilience.
Security started with compliance
Compliance was the primary driver for many businesses to build a cyber security program. Starting with frameworks like The Health Insurance Portability and Accountability Act (HIPAA) and Visa’s Cardholder Information Security Program (CISP) – which later evolved into the Payment Card Industry Data Security Standards, or PCI DSS – failure to meet compliance requirements was met with strict penalties that included hefty fines or the inability to process payments.
While these regulations made forming security teams necessary, they were often made up of employees that oversaw network and infrastructure. With little to no security experience, these early teams looked at the compliance framework as a definitive roadmap to being secure. The boards of these regulatory bodies noticed companies doing only what was mandated, so they evolved frameworks to encompass more controls. This inevitably led to the cost of being compliant eating the entire security budget.
Auditing or assessing
When cyber attacks were still in their infancy, the penalties enforced by regulatory agencies were often the biggest motivator behind implementing security. To ensure controls were implemented, regulatory bodies required varying levels of audit. Larger audits required third-party verification, and the subjective nature of control vs. intent created factions of assessors and auditors.
While auditing is looking at the words of specific control and “checking the boxes”, assessing looks at the intent behind the control and whether the capabilities implemented fulfill that intent. Assessing goes one step further to not only ensure the control is in place, but also verify that it is improving the security posture of the organization.
With few long-term cyber experts to assess the intent of the control, earlier evaluations were primarily audits and created a pandemic of organizations that were compliant, but not secure, often procuring security hardware and software just to check the box (without ever implementing them).
Keeping compliance relevant
Typically, the degradation in security-return of compliance comes from outdated controls with no explanation of intent.
PCI DSS debuted in 2004 with v.1.0, and 17 years later we anxiously await the arrival of v4.0. While tweaks and amendments can bring a framework closer to the current threat landscape, the evolutionary cycle of attacker tactics, techniques, and procedures (TTPs) make even a yearly re-release seem like a flirtation with irrelevance.
Further exacerbating the point is the highly prescriptive nature of the outdated controls, acting more as a tactical directive than a strategic objective. Referencing the above conversation about assessor vs. auditor, if organizations are audited on the presence of outdated technology that no longer applies to attacker TTPs rather than the ability to fulfill the intent of the control with more capable technology, compliance not only hinders the evolution of security, but is also counterproductive.
Current compliance mindset
With the increased publicity of today’s cyber attacks and the increased damage they’re inflicting, the cost of insecurity is surpassing the cost of non-compliance and garnering much more attention from the board and C-suite. However, the tidal wave of compliance requirements covering everything from PII to critical infrastructure continues to pull resources required for implementing and administering security.
Regulatory frameworks should define expected security outcomes and the penalties for failure to meet those outcomes – not dictate the means to achieve the outcomes. Today’s cybersecurity professionals are far more adept than those of the past who were pulled from other departments to meet a requirement.
With the career of most CISOs rooted in security, it’s time for regulatory bodies to trust the experts to achieve the expected outcomes of compliance, while protecting the organization’s brand and reputation in a way that enables business.