How a 'compliance mindset' can provide bad guys with short cuts if we're not careful
Jonathan Sander discusses why compliance is always a race to the bottom and how security as regulation takes executives off the front lines
Jonathan Sander, VP of product strategy, Lieberman Software
When industries introduce regulatory compliance, it will often be viewed as a sign of maturity showing that industry is moving forward and taking quality assurance seriously. This is now being applied in cyber-security and clearly the need for organisations to be “compliant” has kick-started an entire industry of consultancies, programmes and software being sold to help achieve this. The quandary is that many companies feel that simply meeting compliance guidelines alone will mitigate their exposure to data breaches and data assurance problems. These guidelines are often not truly focused on security but rather focus on privacy, data assurance, or business continuity. We know compliance won't protect organisations, as some of the major headline data breaches over the past few years were perfectly compliant at the time of the breach.
Compliance does not equal security
That is not to say that compliance doesn't have its place. Just like almost any diet will result in better eating through paying attention, the effort to meet compliance goals has likely improved many things in IT. For issues like privacy and accounting, where improving and tightening up the process is the point, compliance has been a true solution.
It's when we find this compliance approach suggested for IT security, there is a sticking point. After all, some surmise, security consultants are always talking about policies just like regulatory advisors, right? This is evident in the UK case of the report dealing with the massive, public breach of the TalkTalk system that held headlines for a while.
However, there are serious issues with treating IT security as a set of policies. They can all be captured in one scenario – security is a battle, not a concept. Going to battle with a plan and never altering that plan despite finding the facts on the ground have changed is to fight a losing battle. Likewise, if the enemy gets a hold of the plan, then they can counter it with precision. Policies tend not to offer the elasticity needed in security as the battlefield is constantly changing.
Compliance is always a race to the bottom
When you're in the mindset of compliance, often the biggest enemy in the situation is simply complacency. People typically handle data in irresponsible ways because, unfortunately, they are too lazy to do it the right way. When compliance is king, the regulation lays out what they must do and settles the debate. There are extra steps to be compliant, but people can't simply ignore them as the auditor carries a big, motivating stick.
“That sounds an awful lot like security to me,” says almost every executive. The difference, of course, is that when you handle data irresponsibly from a regulatory view, your “adversary” is the auditor who may notice months from now and give you a smack with her stick, or the victim may be the consumer who may be harmed by the action. Neither is actively looking to exploit you right here, right now. But in security, we know the bad guy just waiting for the path of least resistance and effectively waiting to pounce.
Maybe that sounds overly dramatic, but the facts on the ground say it's the case. How can you react to that reality? What you simply cannot do is take the “compensating controls” approach that is the hallmark of compliance.
Essentially, organisations will do implicit or explicit math about the financial risk of being non-compliant. The expediency of doing things the “wrong way” may offer and optimise the best outcomes regardless of what may be the “right” thing to do. This is the essence of profit-motivated thinking, and exactly what we should expect any corporate entity to do. It's also exactly why we can't treat security this way.
Security will never succeed as a practice that does the absolute minimum. Adversaries are too quick and all too eager to pick out the targets that have done the minimum and make them pay dearly.
Bad guys like shortcuts and security regulations provide them
Picture the classic “hacker” image: some youngish, scruffy man sitting at a messy desk in a dark room with a lot of monitors, cycling through unfamiliar looking windows of scrolling text and incomprehensible images. Now he looks at the screen in front of him, pulls up a web browser and Googles your organisation's website. He pulls up your site, goes to the “About Us” page, and sees logos you proudly display of the security regulations you comply with. A smile cracks across his face. Now he knows exactly how to get you.
Of course, this image is so far out of date as to be dangerous in the new reality of professional cyber-criminals and nation state attackers. But the classic loner image communicates the important point that if security were like regulations, then the bad guys could find out which ones you use, select attacks known to work against such regulations, and attack. Arguably, security regulations would make most organisations potentially more vulnerable. Not less.
The fact is, when organisations adopt a security by compliance approach, it take the executives off the front lines when the need to have executives on the front lines in IT security is, in contrast, well-covered territory. Executives need to be involved to ensure that the authorisation to act is never far from hand. While executives are often very interested in regulations that may lead them to jail time, they aren't involved in the day-to-day actions of the teams dealing with compliance.
That disconnect from the day to day operations may make sense when you can measure cycles of audits in months, but when the enemy is attacking every minute of every day, there is no time for can-kicking when it comes to making decisions.
Contributed by Jonathan Sander, VP of product strategy, Lieberman Software