The days of unbridled spending on security systems and on consultants to comply with government regulations and industry rules is coming to a close. Most compliance activities have now reached the status of “a cost of doing business,” and employee policies have been rewritten to incorporate compliance best practices.
At large enterprises, high-performing CISOs and their teams largely view compliance activities as distractions to the core security mission. With the frothy cottage industry of consultants and vendors that has grown up to meet the compliance hype, security practitioners are wary of additional spending, and most are searching for ways to achieve the same results with less. Like a stock that has been overbought, a cooling-off period is now inevitable.
The top distractions expressed by security practitioners these days are:
– Trying to figure out exactly what the rule maker’s original intention was. Complying with federal and state regulations ( Sox, GLBA, and HIPAA) was hard enough for security teams. Now, industry rules like PCI and FFIEC continue to cause practitioners to ask, What’s this all for? Since no two networks are the same, compliance with any standard eventually involves significant interpretation. Interpretation leads to long discussions (and eventually guessing) about what the rule makers originally intended. For most, the hardest debates are those that put the enterprise’s interests at odds with the rule maker’s. Once security teams conclude they need to make significant changes to their existing infrastructures, they commonly wonder, Who are we doing this for…them or us?
– Planning for the unintended consequences. After years of spending on compliance software and consulting, most CIOs can tell management with conviction that the enterprise is “in compliance.” CISOs and their teams, however, are noting that the enterprise’s security posture is no better, and in many cases it is worse. Why? Compliant networks have likely been resegmented, causing new security concerns as data takes new paths. Employees may feel hamstrung by the new policies that they are subject to, and just work around them. Storing company data in personal accounts in order to work outside the office is a prime example.
– Managing the army of auditors. “I’m spending 80 percent of my time these days with the auditors and not securing my enterprise.” This is a common complaint from security teams burdened with the time-consuming task of running all the audits that most regulations and rules now call for. The sad part is that most audits are now conducted to satisfy rules rather than check the resiliency and security posture of an enterprise. We’re measuring the wrong the things.
– Monitoring CNN headlines rather than bugtracker. It used to be that changes in the threat landscape were the security teams’ primary early-warning system of impending doom. Today, news media headlines are as feared as the next zero-day attack, and security teams have had to adjust to take this new channel in. The litany of public data disclosures and the fear of regulatory fines and class-action lawsuits now often drive workload, budget allocations and overall technical strategy. Is the tail wagging the dog? You bet.
– Compliance perfection. The final distraction comes with the assumption by nontechnical managers that lots of expenditures and a passed audit mean “100 percent compliance.” CEOs and CFOs tend to view compliance spending and activities like insurance: Once we’ve spent the dough, we’re protected, right? Security practitioners are in a tough spot. Tell management the truth-that no amount of money can buy 100 percent compliance and risk your job-or tell them what they want to hear and hope for the best. There are always the auditors to fall back on.
Most conversations on compliance eventually come around to the same point: Full compliance should never be confused with robust security. One does not beget the next and, at times, changes called for by compliance rules can have a detrimental effect on an enterprise’s overall security posture.
Security practitioners take the job of defending their enterprises from known and unknown threats very seriously. CIOs and CFOs alike now need to recognize which compliance activities distract attention and resources away from managing the overall risk posture of an enterprise.
Better to be a little less compliant, and a little more secure.
Jack Phillips is a cofounder and managing partner at IANS, a Boston-based research company that focuses exclusively on the fields of information security, regulatory compliance and IT Risk Management. In this position, he oversees the Information Security Forum and Accelerator Services businesses.