I recently had the honor of giving the second day keynote at the 2017 BSides San Francisco conference. The focus of my talk was on the multi-faceted relationships between regulatory and organizational compliance and information security. In many cases I've been a part of, the relationship is somewhat adversarial despite its original intention; compliance acting as a framework or tool for organizations to achieve a quantifiable measure of security posture. There have been an unfortunate slew of drawbacks in recent years, exacerbating the relationship between these two areas.
This is the first part in a short series on compliance and security.
Where Things Stand Now
This is by no means exhaustive, but today we'll focus on four challenges that I've seen crop up quite frequently in regulated environments.
- Juggling complexity with under-staffed security teams
- Compliance as security theater
- Control blinders or "gotta catch'em all" syndrome
- Controls in conflict with best practices
Larger, heavier regulated industries such as financial services and healthcare (to name a few) are those that can benefit from new players, competition, and a surge of technological innovation. However, the regulatory requirements imposed on organizations working within these industries represent a huge barrier to entry. In some cases, a compliance standard may require a security team to implement, document, and monitor over 250+ controls. The time that it takes to simply prepare all of the documentation for these controls is enough to drown a small and already over-burdened team in this fast moving world of technology.
Compliance in many organizations serves as an enabler for business development or protection against regulatory consequences. As a result, there are teams that exist out there, fortunately not many anymore that look at compliance as the end game, versus the starting point. Additionally, some business owners will allocate budgets that only go so far as to manage the compliance aspects of a broader security program. There have been countless organizations across all regulated industries that have fallen victim to data breaches. This is pointed out not to pick on any organization, because let's face it, security today is hard. The main takeaway here is that a state of 100% compliance does not equal a state of 100% security.
"Gotta Catch'em All" Syndrome
This last point is here to point out a symptom of people/team behavior that I've seen arise in heavily regulated environments where people get so heavily focused on making sure that controls are in place that we put blinders on. It's almost like watching people on their phones trying to catch Pokemon. This last one is really difficult to manage in a regulated environment because the risks are still real, regulatory fines and business pressures aren't more or less important than technical risk from non-compliance security activities on the surface. Further exacerbating the problem is the fact that compliance standards give us a clear checklist to follow and we know that the activities provided within are generally intended as good things. As practitioners however, it's our job to assess what is actually most important at any given time and why. This is where a good risk assessment process comes into play, we need to be able to forecast risk from any angle, if we can quantify it, we can prioritize it according to what's most important to us and to the business.
What are we supposed to do when a control, as it's written is in direct conflict with what we know is the right thing to do? This is a really tough situation when either an auditor who doesn't care about context, a business owner who cares only about that 100% compliant metric, or some other stakeholder is putting pressure on a security team. It's our responsibility to protect whatever assets we've been entrusted with, however when we're forced to fight with one hand tied behind our back due to outdated standards, that can be tough...really tough.
This post focused on some of the challenges that heavy weight compliance standards introduce to security teams in today's fast moving business environment. Next week, I'll focus on some strategies that teams can use to actually manage these three challenges.
If you're interested in following me each week, add this blog to your favorite reader!