A frequently heard slogan in information security is “Security first, compliance second”. At first, this makes sense. But if you take a critical look at this statement, you come to the conclusion that the choice does not have to be made at all. This is why.
Compliance is often seen as unnecessary overhead which makes life harder. Checking all firewall rules or documenting the work done repeatedly keeps engineers from their actual work. This happens when compliance is approached with a ‘checkbox mentality’: being able to tick the compliance box with minimal effort, so auditors are reassured. The compliance framework then works counterproductive - you stick to it, but it is at the expense of the actual security of your organization.
With such a mindset, security and compliance seem to be at odds with each other. Tension is exacerbated by the constant struggle for budget and resources. For example, when budget increases, choices may have to be made between, for example, new certifications or innovative security solutions. Compliance should be about adding value. Then why would you choose the easy way by just checking the box?
More than the sum of its parts
Security and compliance are both aimed at mitigating risk. A compliance framework provides a standard model for identifying and handling risks, such as the NIST Cybersecurity Framework. But a compliance framework in itself is not enough. Why not?
The biggest problem is that cybersecurity is a dynamic and unbalanced battle. To be completely impermeable, you need to be able to think of every possible attack scenario and fix every possible vulnerability. But the adversary only needs to find a single hole in a system, process or organization to penetrate, like a single tiny opening is all that is required for a needle to burst a balloon.
Compliance gives you a snapshot of how effective your controls have been over a period of time. But your environment can change over time with the introduction of a new technology. No one knows exactly how the new technology interacts with the existing, highly complex environment. For example, inadvertent gaps in security can arise without organizations realizing this, like when a patch or a new firewall is installed. Therefore, it is imperative to continuously identify, assess and mitigate risks, as well as continuously evaluate the compliance frameworks themselves.
Compliance frameworks are important, but too often organizations are so satisfied with the success of a recent audit that they forget it doesn’t end there. The famous cryptographer Bruce Schneier describes this phenomenon as ‘security theater’. Being compliant gives a false sense of security. For example, the large American retailer Target was pci DSS compliant at the time of a major data breach, when the payment details of millions of consumers were stolen.
Reconciling compliance with security
Here’s a disclaimer: it is not easy to find the sweet spot. It probably never will be. There are too many unique scenarios and we only have limited resources. But scarcity is not the biggest problem. Information security is not a technical problem with only technical solutions. It’s a mindset.
Even when using the latest technology, users are still walking the path of least resistance. Given enough rights, they will try to bypass poorly enforced settings. Why set up a complex and long password when a four-digit PIN is allowed? This is only one example, but I’m sure each of us is easily able to either come up with another or even plead guilty to committing a similar offence.
How to fight this together? There are many ways, but one of the best ways to start, is raising awareness. This applies to both security and compliance! Explain what this means for everyone and why measures are needed. For example, if your compliance framework requires that every visitor in the office is accompanied, make sure everyone is aware of this and understands why this is being asked. Everyone gets nervous when a stranger walks around their house. Why would that be any different in the office? In any organization, security and compliance are never limited to the work of one team. It involves the whole company working as a team. A robust enterprise risk management (erm) process can support this. Easier to implement measures include news reports, training, and phishing -to test.
However, it is not enough to be aware. In order to better maintain the balance, the level of knowledge must be increased throughout the organization. Share available knowledge. Promote “best practices” in security. Encourage discussions about improving the security mindset in various areas. Seek new insights by following safety-focused training and webinars. Compare this information and knowledge with your compliance framework, so that you can supplement it where necessary on the basis of the latest developments in the sector.
In short, change the thinking about security and compliance in the organization by raising awareness and sharing and capturing knowledge.
Author: Kevin Syauta, Security & Compliance Officer at Solvinity.
Find out more about Solvinity here.