I am very excited to have been invited to participate in the community here at itgrcforum.com. My professional passion is finding the sweet spot where security and compliance work as enablers of the business rather than impediements. I look forward to sharing my thoughts on practical ways that security and compliance professionals become that kind of asset to their business. What follows is the revised version of a piece I wrote in 2010 for my own site, but I believe it will nicely introduce you to my take on security, compliance and business.

I look forward to hearing your thoughts and questions.

Compliance Leads to Security Breaches - Maturing from Compliance to Security

How IT’s compliance mindset would look in another setting:

“Hey, there’s a fly in my soup!” - patron

“Let me take care of that for you sir” – waiter, as he reaches into the soup and pulls out the fly

“Well, the soup looks fine now. Thank you.” – patron, as he digs in

In the world of Information Security, compliance rules with an iron fist. For InfoSec professionals in the health care industry, data must be stored and secured according to HIPAA guidelines. For those in finance, GLBA rules. For those who handle credit card info, PCI-DSS. For all public companies, SOX is king. The specific rules for these industries differ but the consequence of failure to comply is the same across them all. If you do not follow the compliance rules for your industry you will receive fines, and eventually be put out of business.

InfoSec professionals can make a very nice career for themselves by becoming well versed on the specifics of a data protection regulation. Companies spend billions of dollars a year to achieve compliance with the standards governing them. Certainly nobody can blame them for striving to achieve compliance. We cannot do business without it. But does compliance mean we’re secure?

The most high profile hacks in recent history were performed against PCI compliant systems. The Heartland fiasco was performed against a company who could put their check in the correct box on a PCI checklist. That didn’t prevent the breach. Nor the countless others before and since. So what were these companies doing wrong?

When you set your goal at “achieving compliance” whether it’s to PCI, HIPAA, ISO27001 or any other standard, you are settling for “good enough.”  You are using someone else’s bare minimum standard for acceptability as your end goal.  

Compliance will never bring security. No checklist or audit, regardless of how many agencies approve it, can account for all the ways vulnerabilities can strike in your specific environment. No governing body can foresee the ways your organization will need to defend itself in the future. As long as compliance is your end goal, security will never be achieved. Much like the fly in the soup, your organization may look clean, with some nasty surprises waiting under the surface.

Compliance forces you to forever work in a reactive mode. While the main objectives of our industry standard regulations do not change often, the specific checklist items that auditors are looking for frequently do. As auditors start adding new requirements to their lists you are continually forced to react and build ,or buy, bolt-on solutions that will get you through yet another audit finding, but can’t get to the heart of your vulnerabilities.

Finally, compliance leads to security breaches. Or more accurately, when an organization aims for compliance rather than security, vulnerabilities are the eventual outcome. Data protection standards are notoriously slow in incorporating new safeguards to defend against new hacker techniques. Those who do the bare minimum to achieve compliance will be among the first to become victims of new zero-day attacks. Attackers also know what compliance requires, and so when we simply do the minimum to achieve compliance, those attackers have a fairly detailed outline of what our defenses consist of.

Organizations who focus on security will inherently achieve compliance. If you consider security throughout a systems’ lifecycle, continually run risk assessments internally (formal or informal) and allocate sufficient resources to security initiatives, compliance to regulations is made much less daunting. Drive security into systems as early and as integrally as possible.

Just as we won’t settle for having the fly removed from our soup, we should not settle for security policies that just get us through an audit successfully.