Pursuing Compliance: Here Is Why You’re a Walking Data Breach
Cybersecurity Strategy: Compliance < Security
For as long as information security has been a function of the organization, there has been justified tension between focusing on compliance and pursuing security in the matter of cybersecurity strategy. One of the most frustrating pressures to deal with as a security leader is budget. Your business stakeholders want to spend less on security, and you have to somehow figure out how to roll out next generation anti-virus to 10,000 endpoints to keep your business process secure. Often the conversation of cost is a driving factor in deciding the security strategy of your organization. Ultimately, a given organization has to content with cost prohibitive constraints. Often, the organization elects to abide by compliance requirements as the driving factor for the implementation of cybersecurity. After all, you have to meet compliance requirements. This approach leads to what I call The Walking Data Breach. The Walking Data Breach is an organization that has a false sense of security as a result of the satisfaction of compliance requirements.
Strategically, if a data breach can be prevented with only $10 million a year, opposed to $12 million a year, it can be difficult to justify the extra two million in expenditure. The problem with this logic is: a data breach simply cannot be prevented. A data breach can only be avoided. No matter how good your security is, criminals will find a way. This brings us to the primary point:
If your goal is compliance, you will never be secure. If your goal is security, you will always reach compliance.
The Compliance Problem
The fundamental problem with pursuing compliance is that compliance is a set of rules and regulations the organization must follow by a governing body. Criminals, at their most basic of level, are rule breakers. Rule breakers won’t play by the rules you’re governed by. The second problem with pursuing compliance is: compliance requirements were never meant to guide security programs. When the government creates public policy, the policy is created a lot like you would create policy with your organization. Broad, high level requirements that commit the organization to do something. With public policy, legislators cannot be too prescriptive in the regulations they write, because organizations would have a difficult time achieving all of the requirements. This would apply undue pressure on businesses that aren’t quite ready for a strong security program and would subsequently cause overregulation. The balance is the creation of a basic set of security requirements which must be followed, under the assumption that organizations will do more. Your organization should do more.
When security is your goal, you will always reach compliance. This idea is driven out of the assertion that compliance requirements are written with security in mind. Here is an example: The fictitious compliance requirement states you must perform a penetration test every 5 years. In practice you penetration test every year, or upon a significant change to the application to assure its security. By implementing strong security practices, you more than achieve compliance.
It is important to also consider the risk associated with your security implementation. If your goal is security, it can be easy to go overboard into over securing your assets, which wastes organizational resources. You wouldn’t want to build a 30ft wall in front of a church. The appropriate security measures for your organization must be guided by the organization’s risk appetite. The risk appetite is a guiding strategic statement for your organization that describes what level of risk your organization will accept. If the organization Is a bank, then the risk appetite would be very low, as you wouldn’t want lingering cybersecurity risks in a financial institution. If your risk appetite was high, you’d likely be a smaller business, and your impact in a given loss would be significantly less.
The Walking Data Breach organization has a false sense of security, fueled by their satisfaction of their compliance requirements. Criminals continue to get better every single day. Your organization must prioritize security over compliance and implement security to the level of your risk appetite.
