Arraya Insights | February 21, 2017
Securing data typically isn’t the primary strategic objective for most companies. Security can be expensive, time-consuming, and – to some people – even boring. Instead, the driving force behind
many security investments is compliance. In some cases, it’s a law or an industry regulation compelling a business to act. Other times, it’s a potential partner or customer who, as a prerequisite of doing business, necessitates a security investment. In either instance, compliance is the “stick” behind security. While any investment in security is better than no investment, compliance-based motivation can leave open dangerous gaps.
What Compliance Really Is
I’m a firm believer in a strong security compliance program. To stay in business, you have to follow the law. However – and this might make me unpopular with my auditor friends – I do not believe meeting all regulatory requirements mandated by law necessarily correlates to “being secure.” To me, being “compliant” means you’re doing all of the things the government or another regulator requires you to do and nothing more. Does that strengthen your security posture? Maybe it does and maybe it doesn’t. You can meet every single checkbox requirement for a typical cyber security audit and still be completely susceptible to a breach.
A recent cyber security law that came out from the NY Department of Financial Services is a perfect example. This law stipulates that covered entities must “provide regular cyber security awareness training for all personnel.” That sounds straightforward and well intentioned in theory. In practice, I can comply with that requirement simply by having each employee read and sign a one-page document on what they should and should not be doing. Did I comply with the law? Absolutely. Did I actually provide any additional protection? Not at all, but I checked the box and the auditor is happy. So, it’s entirely possible to follow the rules without actually providing any additional protection.
What Security Really Is
To me, security is all the things you do that actually protect data, and no all-encompassing regulation is going to cover that. If you reconsider my last example around training, you can see how forcing every employee to read and sign a document complies with the law but provides no protection. What if, instead, the training program included simulated phishing attacks, interactive questions on real and fake links, social engineering exercises, and an actual administrative enforcement arm that holds offenders accountable? Now you’ve got a control with some teeth.
You can apply this line of thinking to just about any regulation. Compliance means your network devices write to a log file. Security means you actually have a method of triggering alerts on those logs and responding when the activity level is suspicious. Organizations focused solely on compliance will delegate ownership of the annual audit to someone as an additional duty. Organizations focused on security have dedicated individuals assigned to manage the program and integrates them into business operations. Neither is wrong per se based on a company’s strategy, but it’s important to understand the difference.
Harmonizing Security and Compliance
The terms may be different, but, the good news is, you can do both! I find the best approach is to use compliance as the justification to executive leadership for investing in real security. If you can tie a critical control to a regulation, you’re more likely to get it funded. For example, identifying malicious activity on the network is one of the most important aspects of an effective incident response plan and good security housekeeping. Most executives won’t spend the money on software and tools for centralized logging and event correlation based only on the fact that it’s more secure. Instead, you can pitch that solution under the umbrella of how it complies with the NY DFS Cyber Security Law Section 500.15 that requires a covered entity have “internal processes for responding to a Cybersecurity Event.” That project has a much better likelihood of approval when it’s marketed as a compliance need because everyone wins. Executives feel justified that they’re not throwing money away and IT feels like their voices are being heard. The key is to approach security and compliance as complementary functions.
Embracing security and compliance go hand-in-hand
Arraya’s Cyber Security Practice has the real world experience necessary to help business implement security and compliance solutions and initiatives that have teeth. Open up a dialogue today by reaching out to our team at: www.arrayasolutions.com/contact-us/. They can also be contacted through any of our social media pages: LinkedIn, Twitter, and Facebook.