When you think about Security for your bank or health care provider, what comes to mind? Is it, my bank is PCI-DSS (Payment Card Industry Data Security Standard) compliant, or my Health Care provider is HIPPA (Health Insurance Portability and Account Act)compliant?
If it is you are not alone, but you are fooling yourself if you believe that these certifications alone are sufficient to provide adequate protection.
Compliance is often a requirement by a governing body based on the industry that you are in, and whilst they provide a solid framework, this should not be the end goal of any security program and here is why:
Compliance does not guarantee Security — You only have to look into any newspaper these days, and there is a security breach which appears to be bigger than the last. If we look at the top few for this year alone, what is familiar with all of them is they all had industry certifications and are compliant businesses.
Compliance standards are not comprehensive — This is a catch 22 in that if the standards are too prescriptive, then they become a “hackers playbook” on how to circumvent. If they are not too loose, then any value that they provide can be often overlooked, ignored or just given lip-service. Many compliance standards offer valuable guidance in areas such as data handling, user privacy and breach disclosure; however, they often miss other critical areas such as security awareness, business continuity and penetration testing.
Threats evolve faster than compliance standards — Today, threat actors are seeking new ways to identify zero-day vulnerabilities, bypass the multitude of security controls. They are continually evolving the Tactics, Techniques and Procedures (TTP’s) they are using and the resulting threats. Now contrast this with the relatively static nature of compliance standards and even more so the compliance-centric security standards.
Compliance and Security — A Symbiotic Relationship
I don’t want those who have read the above to think that I don’t believe in industry certifications, I do. What I have a concern with is when organizations believe that compliance alone is sufficient or that it should take a higher priority as this opens up a multitude of avenues for compromise.
I believe that the best course of action is in turning the security tools and processes into a compliant system. Now, this does require more effort as you need to prove the compliance of these with the regulatory standard. Taking a security approach first is something that I have personally used several times and most recently in obtaining MTCS Tier 3 Certification for a company in less than six months. The challenge is that you need to articulate the intent of the standard and how you comply with that. The following is a high-level roadmap of how to start with a security-first approach to compliance:
Identify all the current security tools used and what function they perform
Conduct a comprehensive risk assessment of the types of information processed.
Understand the requirements related to the framework
Conduct a comprehensive Gap Analysis
Plan how to address and solve each of the gaps identified
Test the efficiency of the entire security solution.
Conduct regular assessments.
Compliance and Security need to work hand in hand, not Security versus Compliance.
When you consider the implications for non-compliance, many organizations believe that adopting a compliance-centric approach is a reasonable and judicious decision.
It is critical to remember that whilst many provide clear and substantial security benefits, they are neither comprehensive nor flexible enough. For a business to address the threat landscape today, compliance can’t be the only focal point if you are to have an effective security program.