Compliance vs. Security: Revelations from Incident Response

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

I can’t tell you how many times I’ve gone into a breach response and been told “We don’t have a problem because we are (insert your favorite regulatory standard) compliant.” From the perspective of an incident responder, this automatically raises a red flag. All too often, a company undertakes a “check the box” compliance exercise and develops an overly optimistic belief that its environment is protected from would-be attackers. This couldn’t be farther from the truth.

The devil is in the details, and the unfortunate reality is that there is nothing like an actual data breach investigation to expose vulnerabilities in your environment. Indeed, overreliance on standard controls required to ‘comply’ is an insufficient approach to dealing with cyber threats and can give companies a false sense of security about their ability to defend against evolving threats.

Here’s an example. “Compliance” with various data security standards may be achieved by having an (updated) antivirus solution in your environment. But when it comes to “security”, a host of industry professionals and product companies have long asserted that antivirus is no longer an adequate control, on its own, to insulate from host-based threats. Nonetheless, for years nothing has been done to update this control, which is required by most compliance standards (although of late the tide finally seems to be turning, albeit slowly).

Netflix recently declared that it would be decommissioning its antivirus solution and would not be renewing the contract with its (undisclosed) antivirus provider. That may have been a little extreme. Antivirus can defend companies against known host-based threats. The problem we most often see in incident response investigations related to malware is that there is an antivirus solution in place, but it is misconfigured and/or out-of-date. Again, the ‘compliance is security’ misunderstanding is to blame. Companies trust that their AV solutions are providing adequate protection of their hosts because they were able to “check the compliance box” indicating the control is in place, despite the fact that it is not providing the intended protection.

There are plenty of other controls I could pick on. My point is that regulatory standards establish a foundation of minimum mandatory controls. Over time, these mandatory requirements can become burdensome and outdated, and result in companies channeling resources and effort into compliance audits rather than actually improving security. Compliance controls may very well help companies achieve a base level of foundational security, if properly integrated and configured; however they too often fail to achieve the desired outcome.

Go ahead and be FISMA, ISO, PCI, NERC compliant. Do what you need to do to meet regulatory standards required of your company. My challenge to you is to change your company’s mindset around security by:

  1. Understanding your business risks and risk tolerance;
  2. Validating the existence of targeted controls to mitigate your most relevant risks;
  3. Defining processes to ensure controls are achieving the expected level of security;
  4. Maintaining and monitoring your controls; and
  5. Continuously addressing the evolving threat landscape.

By adopting a more proactive approach to security, you can avoid the type of crisis that painfully reveals how your ‘compliant’ environment wasn’t as secure as you thought.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber

I am: Legal + Compliance-focused, In the C-Suite or a Director

Tags: compliance, incident preparedness



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.