I can’t tell you how many times I’ve gone into a breach response and been told “We don’t have a problem because we are (insert your favorite regulatory standard) compliant.” From the perspective of an incident responder, this automatically raises a red flag. All too often, a company undertakes a “check the box” compliance exercise and develops an overly optimistic belief that its environment is protected from would-be attackers. This couldn’t be farther from the truth.
The devil is in the details, and the unfortunate reality is that there is nothing like an actual data breach investigation to expose vulnerabilities in your environment. Indeed, overreliance on standard controls required to ‘comply’ is an insufficient approach to dealing with cyber threats and can give companies a false sense of security about their ability to defend against evolving threats.
Here’s an example. “Compliance” with various data security standards may be achieved by having an (updated) antivirus solution in your environment. But when it comes to “security”, a host of industry professionals and product companies have long asserted that antivirus is no longer an adequate control, on its own, to insulate from host-based threats. Nonetheless, for years nothing has been done to update this control, which is required by most compliance standards (although of late the tide finally seems to be turning, albeit slowly).
Netflix recently declared that it would be decommissioning its antivirus solution and would not be renewing the contract with its (undisclosed) antivirus provider. That may have been a little extreme. Antivirus can defend companies against known host-based threats. The problem we most often see in incident response investigations related to malware is that there is an antivirus solution in place, but it is misconfigured and/or out-of-date. Again, the ‘compliance is security’ misunderstanding is to blame. Companies trust that their AV solutions are providing adequate protection of their hosts because they were able to “check the compliance box” indicating the control is in place, despite the fact that it is not providing the intended protection.
There are plenty of other controls I could pick on. My point is that regulatory standards establish a foundation of minimum mandatory controls. Over time, these mandatory requirements can become burdensome and outdated, and result in companies channeling resources and effort into compliance audits rather than actually improving security. Compliance controls may very well help companies achieve a base level of foundational security, if properly integrated and configured; however they too often fail to achieve the desired outcome.
Go ahead and be FISMA, ISO, PCI, NERC compliant. Do what you need to do to meet regulatory standards required of your company. My challenge to you is to change your company’s mindset around security by:
- Understanding your business risks and risk tolerance;
- Validating the existence of targeted controls to mitigate your most relevant risks;
- Defining processes to ensure controls are achieving the expected level of security;
- Maintaining and monitoring your controls; and
- Continuously addressing the evolving threat landscape.
By adopting a more proactive approach to security, you can avoid the type of crisis that painfully reveals how your ‘compliant’ environment wasn’t as secure as you thought.