Are security-related compliance mandates by the US government and other industry regulations compromising the safety of our data?
I believe they are—at least, in part. Here’s why: too many organizations are focused on complying with information security regulations rather than effectively managing security risks. As a result, when an organization nears or reaches the compliance bar, company leadership is left with a false sense of being adequately secure and may put the breaks on additional security measures. This leaves data exposed to security risks that aren’t provisioned for in compliance mandates, and worse, in many cases organizations aren’t even aware they are still exposed.
Attitudes toward compliance run the gamut from strict adherence to a blatant disregard for the rules. For the moment, let’s set the slackers aside because that is probably the minority today. What I want to address is the organization that takes compliance seriously and puts forth a good-faith effort to implement security controls as prescribed by government regulations. While I applaud this conscientious stance, my concern is that compliance regulations set the security bar too low, and if an organization stops at "just enough security to comply," that organization may be compliant, but it likely won’t be reasonably secure.
Why did the government need to step in?
Mostly because cybercriminals were stealing and corrupting data, and no one was doing much about it. Something had to be done. But unfortunately, turning data security into a government initiative has shifted the focus away from what it was intended to do—that is, keep data safe. Too often, the security team’s objective (as specified by their organization’s business leaders) is to meet compliance requirements, get through audits, and avoid steep fines.
Let’s be clear: Compliance requirements do help to put a stronger focus on data security because they compel company officers and boards of directors to think and act on security issues. But companies need to assume more responsibility for developing a custom-built security program that addresses their own needs—independent of how well it meets compliance obligations. I am a strong proponent of developing a company-specific strategy, one that is based on risk tolerance in each area of the business.
In organizations that take a risk-based approach, investment in security controls is commensurate with the amount of business risk involved. Risk-based management teams are proactive: they measure risk, assess gaps, implement appropriate controls, monitor their security systems, and mobilize when an incident occurs. This well-thought-out plan is put in place in varying degrees throughout an organization, based on the levels of business risk involved.
While being compliant is the law (or maybe a requirement within your industry), I believe it is time for cybersecurity professionals to shift the focus away from security programs measured by compliance with legislation and towards the more appropriate and critical goal of managing business risk to an acceptable level. After all, most knowledgeable cybersecurity professionals agree that being compliant does not equate to being adequately secure; but a well-designed, risk-based security program will achieve compliance as a by-product.
Data security: a cross-functional effort
So if a risk-based model is a more effective one, why are so few organizations adopting this approach?
One contributing factor is that data security is oftentimes still viewed as an isolated IT function, and executing a company’s security activities is left to IT personnel. Adopting a risk-based approach is a significant undertaking that requires an enterprise-wide commitment, but executive teams are reluctant to engage with a function traditionally handled by IT departments.
To facilitate a more widespread commitment, security professionals are advised to establish relationships with senior decision makers outside of IT—particularly those who can lend a credible voice to the need for adequate security controls, such as the legal counsel, the audit committee, and the internal audit department. These functions tend to be well defined and more mature within an organization, have the ear of senior company officials, and can often contribute supporting perspective. They also provide validation outside the security department; when the message comes from all sides, it is more likely to inspire a shift in thinking.
Another challenge that many security professionals face is the ability to communicate what they need (and why) in a language that the rest of the company can relate to—in business terms. Accustomed to talking bits and bytes and easily seduced by the latest technology tools, information security professionals too often fail to communicate the business reasons for implementing better policies and procedures and acquiring improved data security tools. Members of the security team are fighting intrusions of some kind on an almost daily basis, and they frequently approach management with their frustrations and entreaties for resources before building a business case to support their appeal. Without an adequately articulated business case, a request for additional budget or people is unlikely to be approved.
When security professionals continually cry that the sky is falling (even though at times, it is), they are too often dismissed as Chicken Little. Educating key information security leaders on the art of persuasion would go a long way toward getting everyone on board. One example: local FBI cybercrime units are often willing to present to management teams at no charge. Not only can they share anecdotes about companies that have been devastated by attacks and the ingenious ways the thieves get in, but they can also provide a more objective point of view than internal personnel, which can help to prevent the Chicken Little label.
Data security and the bottom line
At the end of the day, most organizations are in business to make money. To do this, they focus on increasing revenues and/or reducing costs, and security controls do not have a direct positive impact on either of these financial measures. Plus, company management mistakenly believes that if the organization is compliant, it is protected against security breaches. The task of convincing the powers-that-be to commit to a risk-based approach can be an uphill battle, one that usually falls on the shoulders of the information security team to persuade the people in authority to allocate budget and resources for a better security program.
But change begins with knowledge, and as security professionals become well versed in the language of business, the art of company politics, and the science of security versus compliance, we will see more organizations make a shift. At least, I hope so. The safety of our data depends on it.
Mark Burnette, CPA, CISA, CISSP, CISM, CRISC, QSA, is a Partner with LBMC Information Security. He is a founding director of the Middle Tennessee ISSA Chapter and can be reached at firstname.lastname@example.org.
As featured in ISSA Journal.