“We need to be compliant so we can pass an audit!”
This phrase makes us shudder. Forget being compliant because it is the right thing to do – or because it more times than not leads you down a path to better configuration management or stronger business processes. Many organizations view compliance as an obstacle they must overcome. It impacts numerous business areas, and cybersecurity is no exception. From NERC-CIP to NIST to SOC 2, organizations scramble to make sure their policies and technologies meet these different standards. Whether they do this because it’s right or because it’s required is only a marginally debatable point.
We agree that compliance is a fine starting point for building a comprehensive cybersecurity program. But there are pitfalls to be wary of. Compliance doesn’t itself necessarily guarantee that your data and your customers’ data are safe.
- Compliance is usually too generic. Standards are set in a broad fashion so that they can apply to businesses of all sizes and organizational structures. It is only in the thoughtful application of the spirit of the standards that true security can come from compliance. For instance, the HIPAA security rule does not mention the word “firewall” or “IPS”. But it does say that organizations must “ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.” It’s not hard to connect this requirement to a set of technical controls that include firewalls, IDS/IPS, advanced malware detection, and more. But you can technically be compliant in your environment without having a truly robust stack at your border if you are creative in how you respond to audit questions.
- Compliance can breed apathy. Again, we are not saying that working towards being compliant is bad. What is bad is stopping after you hit all of the checkmarks. A recent study by WhiteHat Security found that organizations that live for compliance have the fewest vulnerabilities in their web applications. Great! Conversely, however, these same organizations take the longest to fix the vulnerabilities that are brought to their attention. When living to pass compliance checks vulnerabilities may have a relegated priority until the next audit date approaches.
- The threat landscape changes daily. Compliance audits guarantee that, as of this audit day, your security is up to compliance standards. But remember – cyber threats are a moving target. You now have 364 other days where new threats appear, company infrastructure changes, and new technologies are introduced. Security should be an everyday activity that is constantly being performed and improved. Leaving yourself unimproved for months on end introduces huge security gaps. Consider solutions that automate these continuous processes, like an assertive configuration manager (i.e. Puppet, Chef, Ansible, Saltstack) and embrace automation of change controls.
It’s best to view information security from the standpoint of vigilant effectiveness vs. compliance or audit readiness. It can be difficult when auditors come knocking on your door or a new threat surfaces that tests your security program. However, if you plan accordingly, implement a layered security program (policy, technology, and processes) that meets or exceeds compliance standards, and drive a culture of vigilance, you are already off to a good start.
Think you’re there already? Great! Don’t forget the other two parts of a good security program. Continuously assess and improve. It’s when you think you have all of your vectors covered that you are truly most vulnerable. Engage with information security professionals to validate your security program regularly. Patch. Retire old technologies in deference for new ones that take it to the next level. Remember that anti-virus was once the bee’s knees. Now it’s a mildly-effective “also ran” in the information security efficacy race. Stay current. Stay active. And yes, stay compliant!
You’ll sleep better when the next zero-day hits.