Is compliance hurting more than it’s helping?

by | Sep 30, 2019


Why do so many security experts lament when their leadership choose a compliance first security strategy?

Because they know from experience that evidence of security is not proof of protection.

Security compliance is akin to ‘security theatre’. There’s lots of action and posing, it looks and feels good, but in the end, the protection results aren’t aligned to real business risks. There’s no other way to say it, a compliance first approach hurts more than it helps.

If that’s true, why are so many organizations using compliance driven security strategies?

  • They believe there is a strong correlation between compliance and protection
  • They do not have a better plan to invest in, and this is ‘on par’ with their peers

They do not believe they are important enough to be targeted by attackers, but want to show ‘due diligence’

There are the six questions a CISO must answer to be successful:

  1. What are you trying to protect, and why?
  2. What level of protection do you have?
  3. What level of protection is justified and defensible?
  4. Do you have the plan to show how to achieve this cost effectively?
  5. Can you show that what you have achieved was done cost effectively?
  6. Can you show that protection results are to plan?
  7. Consider any popular risk/security framework (e.g. ISO 27001, NIST 800–53, PCI-DSS). If these frameworks were strongly correlated to real-world protection, they would provide answers to these questions. They do not.

Unintended Consequences
It is important to point out that security regulations exist because of the perceived need to encourage or force organizations to increase their protection. The regulations are supposed to be a roadmap. The unfortunate, but common unintended consequence of regulation is it alone becomes the new security goal.

Security experts are generally very proud and don’t want to be on the security team that is embarrassed by a security breach. They want to stop the bad guys as much as they can, and they know compliance gets in the way of that because it distracts or redirects from activities that would provide greater protection returns. This is one of the primary causes for poor morale and becomes a time consuming and expensive challenge when retaining or recruiting personnel. When teams are understaffed to begin with, high churn rates can be fatal flaw for a security organization.

The weak correlation between protection and compliance aside, the CISO cannot escape the reality that business leadership does want to protect against significant business impact, if it’s cost-effective but at the same time they need to show compliance to security regulations.

What the CISO, and the business, need to be successful is an approach that maximizes the investment and implementation of security solutions to advance both the Protection and the Compliance agendas because they do share a common resource: security investment.

The Path Forward
Aligning Protection and Compliance objectives is the first step towards reducing the risk profile of the business. The CISO and Compliance Officer should be allies not adversaries. This takes a cross functional approach that brings together teams, budgets and strategic priorities. Greater levels of protection can be achieved with a unified security and compliance strategy and business plan. This approach eliminates distracting and unhelpful questions such as “How compliant do we need to be?” or “How do you define what ‘reasonable protection means?” Thanks GDPR!

The above is a non-trivial task; however, it is possible. We’ll continue toward perspectives, methods, and models to further this in upcoming posts. This is just one dimension of many to optimize security investment and robustly answer the six key questions a CISO must answer for success.