Why compliance is never enough
Organizations are well aware of the security risks inherent in our hyper-connected world. However, many are making the mistake of focusing their attention on being compliant rather than on ensuring that their security strategy is effective and efficient. As the threat landscape continues to evolve this type of compliance-driven, checkbox mentality is setting many organizations up for a potentially disastrous fall (or breach).
Being in compliance does not guarantee that a company has a comprehensive security strategy in place, as these are ultimately two fundamentally different disciplines. The objective of compliance is to meet externally imposed static requirements, which often times does not include good security posture. Put simply, compliance is a reporting function and prioritizing it at the expense of security can expose the organization to a growing number of threats.
Despite this fact, numerous companies focus on compliance as the driver behind security procurement decisions. This approach frequently results in an inadequate toolkit that is tactical in nature, rather than part of a holistic security strategy. This can leave organizations with a vast patchwork of point solutions which are problematic for two reasons. One, it’s incredibly easy for breaches to occur in this fragmented environment and, two, these solutions often incur additional inefficiencies and expense.
Many auditors and compliance frameworks require a WAF to protect websites but often companies will do the minimum necessary to get the checkmark. This can often result in the WAFs only being used in monitoring mode or being limited to blocking specific attacks. Considering that web applications are still the dominant attack vector just putting in something that meets the minimum compliance standard doesn’t truly protect against this attack vector.
These inefficiencies arise not only because it’s difficult to manage the wide array of point solutions, but also because these tools often lack the automation needed to keep up with the dynamic threat landscape. It can also be more expensive as decisions are not made strategically, requiring more staff and time to configure, manage and maintain the diverse toolkit.
For these and other reasons, letting compliance determine security investments is short-sighted. Compliance should be a byproduct of a robust security program, not the foundation of it. Procurement decisions must be made in response to the organization’s unique threat environment, ensuring that all resulting products are tailored to address the company’s specific needs.
So how can organizations bridge the compliance gap?
Security leadership can steer senior management from focusing solely on compliance by educating them on what must be done to protect against today’s advanced cyber threats.
In order for organizations to shift from a compliance mindset, it requires the CISOs must demonstrate how solutions focused solely on compliance can leave different parts of the organization exposed. By moving the debate from a technical one to one outlining the business impact, security leaders can help drive decisions that support a proactive security program that mitigates risk.
A critical part of this shift is to define the organization’s security priorities. Every business is unique and will have a different set of vulnerabilities and appetite for risk. Organizations should identify the most commonly attacked components for their specific industry, the most vulnerable technologies in their portfolio and how they can increase the viability of potential threat vectors. In financial services, if a company is focused on PCI compliance then they may undertake file integrity monitoring. However, from a security perspective file activity monitoring is preferable as it allows you to identify excessive permission risks. By doing the right thing for security you can meet compliance goals or show that you have compensating controls in place.
Once the priorities are defined, then a business case should be built outlining the problems and the respective solutions. Explaining this in terms of the business impact and providing ROI data will help secure stakeholder buy-in. This is a time consuming but essential step that will ensure that budget is invested wisely.
Another critical element is to outline how a compliance-driven approach can impact business performance. For example, a DLP tool may be required for compliance but they heavily impact user systems, require significant technical support, and rarely provide actual security value.
Security must be recognized as a critical business risk by senior management and the board. Looking at it as purely a compliance exercise creates inefficiencies and burns resources but, more critically, it also puts organizations at risk. An effective security program should be built from the ground up and be based on an organization’s specific needs. This approach will make future compliance audits easier, save money in the long term, and protect the business. Companies need to take a holistic view of security and approach is as a business-wide concern rather than merely the responsibility of the CISO. Only then will organizations be ready to deal with the ever-evolving threat landscape.