A recent poll of 1,100 corporate executives across the globe found that 64% of them consider compliance a “very” or “extremely” effective strategy in preventing data breaches.1 This poll is troubling, especially since many of the largest, most recent data breaches affected organizations that reported themselves to be compliant with appropriate mandated regulatory frameworks for their industry.
While there are many terms and phrases that have become overused in the Information Security and Risk industry, this one holds true: Compliance is not Security.
Organizational leaders should recognize the lesser importance of compliance frameworks, and the greater importance of protecting business-critical data:
To establish a baseline for discussion, it should be understood that compliance is an either/or, pass/fail, yes/no decision-tree model. The compliance model is not very good at qualifying effectiveness.
Let’s run through an exercise:
This exercise illustrates how the compliance model falls short in qualifying effectiveness. Let us look a bit deeper:
At a high level, one of the obvious issues with static compliance frameworks is that they are used to measure a subjective abstract. Understanding point-in-time objective security (“how safe you actually are”) is not an easy task, and borders on being an art of risk calculation and analysis rather than a skillset. But answering the question, “how safe do you feel?” is completely subjective; in relation to security, everyone “feels” differently based on their own experiences and status quo. Chris Nickerson, from Lares Consulting, addresses this in his excellent TEDx talk: Hackers are all about curiosity, and security is just a feeling.2
Where things typically get messy with compliance vs security is the “safe” feeling one usually enjoys when passing a compliance assessment—that static Yes/No framework being used to measure objective security without quantitative or qualitative data and/or analysis. The passing grades tend to give the feeling of increased security, even though the threat likely remains unchanged, and risks to the business still exist. Here is a real-world example of how feelings may not mirror reality: today’s continuous news coverage of global threats fosters feelings of reduced personal security. However, the actual threat to an individual is exceptionally low. Recognizing the difference between feeling secure, and being secure is critical in the information security discussion.
In the end, the advanced adversary that is incentivized to try to steal your business-critical data cares very little about your successful compliance audit or framework. To your competition, your data is merely a series of 1s and 0s, in transit or at rest. When vetting compliance auditors, ensure that they are familiar with your industry’s specific compliance framework. However, when vetting red and purple team attack vendors, make sure that they are experts in simulating the theft of those 1s and 0s. Your adversary does not care about your compliance framework. Neither should your pen-testing vendor.
With that said, the “Compliance is not Security” viewpoint tends to lean in a slanted direction with Information Security and Risk professionals, many of whom are of the mindset that compliance frameworks should be de-valued at the least, or thrown out in the extreme. The reality today is that compliance frameworks (mandated or otherwise), while flawed and perhaps over-emphasized in relevance, are still an important aspect to:
An Enterprise Security Architecture framework that focuses on the protection of business-critical data and evolves with your business should act as the anchor for your compliance requirements. For compliance, each and every one of the static yes/no questions maps directly into the broader security initiative supporting the business.
Compliance does not mean Security, but Security does include Compliance.