You May be Surprised
A recent poll of 1,100 corporate executives across the globe found that 64% of them consider compliance a “very” or “extremely” effective strategy in preventing data breaches.1 This poll is troubling, especially since many of the largest, most recent data breaches affected organizations that reported themselves to be compliant with appropriate mandated regulatory frameworks for their industry.
While there are many terms and phrases that have become overused in the Information Security and Risk industry, this one holds true:
Compliance is not Security.
IT Risk and Security: Framing the Issue
Organizational leaders should recognize the lesser importance of compliance frameworks, and the greater importance of protecting business-critical data:
- What is it?
- Where does it live?
- Who has access to it?
- How do we know if any violations have occurred?
- If they have, what next steps should be implemented?
To establish a baseline for discussion, it should be understood that compliance is an either/or, pass/fail, yes/no decision-tree model. The compliance model is not very good at qualifying effectiveness.
Let’s run through an exercise:
- Do you have a firewall?
- Do you have anti-virus?
- Do you enforce complex passwords?
- Would any, or even all, of these infrastructure controls prevent an advanced adversary from stealing your business-critical data?
- Would these infrastructure controls prevent an adversary from using your intellectual property to generate profit on the internet black markets?
This exercise illustrates how the compliance model falls short in qualifying effectiveness. Let us look a bit deeper:
- Firewall installed?
Your firewall prevents any unknown traffic INTO your network, but your HR director just got phished into visiting a website that installed a malicious remote-access application onto his laptop. It’s now communicating back to a command and control server somewhere on the Internet because your firewall is also configured for unfettered OUTBOUND access for your users.
- Anti-Virus installed?
Everyday more malware is discovered that infects hosts and injects itself into memory. The malware bypasses most (if not all) Anti-Virus products by not relying on the execution of binaries from disk for the initial infection point.
- Password policy that enforces complex passwords?
An adversary might call your users posing as IT support, and politely ask them for their passwords. At the very least that malware that just injected itself into memory also has the ability to scrape your complex passwords from running processes.
Make sure you are asking the right questions. Click here to find out.
At a high level, one of the obvious issues with static compliance frameworks is that they are used to measure a subjective abstract. Understanding point-in-time objective security (“how safe you actually are”) is not an easy task, and borders on being an art of risk calculation and analysis rather than a skillset. But answering the question, “how safe do you feel?” is completely subjective; in relation to security, everyone “feels” differently based on their own experiences and status quo. Chris Nickerson, from Lares Consulting, addresses this in his excellent TEDx talk: Hackers are all about curiosity, and security is just a feeling.2
The Cost of Complacency
Where things typically get messy with compliance vs security is the “safe” feeling one usually enjoys when passing a compliance assessment—that static Yes/No framework being used to measure objective security without quantitative or qualitative data and/or analysis. The passing grades tend to give the feeling of increased security, even though the threat likely remains unchanged, and risks to the business still exist. Here is a real-world example of how feelings may not mirror reality: today’s continuous news coverage of global threats fosters feelings of reduced personal security. However, the actual threat to an individual is exceptionally low. Recognizing the difference between feeling secure, and being secure is critical in the information security discussion.
In the end, the advanced adversary that is incentivized to try to steal your business-critical data cares very little about your successful compliance audit or framework. To your competition, your data is merely a series of 1s and 0s, in transit or at rest. When vetting compliance auditors, ensure that they are familiar with your industry’s specific compliance framework. However, when vetting red and purple team attack vendors, make sure that they are experts in simulating the theft of those 1s and 0s. Your adversary does not care about your compliance framework. Neither should your pen-testing vendor.
With that said, the “Compliance is not Security” viewpoint tends to lean in a slanted direction with Information Security and Risk professionals, many of whom are of the mindset that compliance frameworks should be de-valued at the least, or thrown out in the extreme. The reality today is that compliance frameworks (mandated or otherwise), while flawed and perhaps over-emphasized in relevance, are still an important aspect to:
- any organization’s Enterprise Security Architecture (ESA), or
- any program that helps align business goals with the protection of business-critical data
An Enterprise Security Architecture framework that focuses on the protection of business-critical data and evolves with your business should act as the anchor for your compliance requirements. For compliance, each and every one of the static yes/no questions maps directly into the broader security initiative supporting the business.
Compliance does not mean Security, but Security does include Compliance.
Click here for more information on Black Box Security and Risk solutions.