You’ve heard the chorus from CISO’s and cybersecurity professionals alike: “Compliance does not equal security.” Is it really true? Compliance is more of a minimum baseline to give reasonable assurance that companies are taking the basic steps to protect data. The bigger question is, are companies really compliant? Or are they doing just enough to achieve certification? Drill down a bit and you’ll find that there’s “certified” compliance and “actual” compliance—and the difference is profound. Then ask, ”which of these describes my organization?”
Certified vs. Actual Compliance
Certified compliant indicates an organization has been tested and designated as such by an independent audit assessor. The assessment includes a definition of scope, a representative sample selection, and a request for data about that specific sample to address the requirements of a framework (i.e., PCI, HIPAA, etc.). Historically speaking, it’s been unrealistic for audit firms to test everything within every organization, so a representative sample is used as a view into a company’s operating practices. Upon delivery of the sample selection, an internal assessment is performed to identify and address weak points within these systems, creating shining examples of what compliant systems look like.
Although this is time consuming and disruptive to many areas of business, failure is not an option. When data is gathered and delivered for testing, assuming your policies and procedures are in place, the odds are in your favor. You’re officially “certified compliant” and you have the paper to prove it—box checked!
Actual compliance is another story. The organization has taken the time to understand and implement all requirements consistently and unapologetically against every system and process. It’s more challenging and forces the organization to weave a compliance mindset into their culture, but the payoff is tenfold when Herculean efforts and interrupting business processes becomes a thing of the past. Compliance certifications become a foregone conclusion and you can rest well knowing you don’t have gaps in your compliance—and by association, security—footprint. By design, companies that are unwilling to achieve actual compliance can never achieve security.
Data breaches in “compliant” companies
Compliance is critically important, but it’s just as important to remember that it doesn’t make your network impenetrable. However, achieving actual compliance vs. simply collecting a certification will strengthen the security posture of your organization. Not only are threat actors constantly looking for new, more invasive, and even more obscure ways to break into networks, but they are also more agile than compliance regulations. This is why it is so crucial for organizations to be compliant across their entire environments.
In the wake of an incident, people will often note, “that company was compliant and still got breached!”
It certainly is possible that these companies did everything right and were still breached, but there are always a few questions in the back of my head:
- Which legacy system could they not live without?
- Which user was considered important enough not to require the same password expiry settings as everyone else?
- Who didn’t need awareness training?
- What risk was considered acceptable in systems and processes outside of the representative sample?
The key to achieving actual compliance and securing your network requires a combined perspective of security and compliance. Industry frameworks, uniformly applied as a baseline, coupled with best-in-breed security practices may not make you bulletproof, but it prevents you from being an easy target.
Achieving Actual Compliance
Although mastering the compliance conundrum sounds daunting to achieve, it’s really not. It all boils down to a few basic tips to keep in mind:
- Keep an accurate asset inventory. This cannot be said enough. You cannot profess security or control over systems or data you don’t know you have. Both physical and logical inventories are necessary.
- Review your most recent compliance audit. What area(s) triggered the most aggressive reactive response and presented your team with 1 or more hoops to jump through? The items you identify as issues should become top priority and be addressed immediately.
- Analyze your current cybersecurity stature. There are specific guidelines for different industries—from healthcare and banking to government, payment-card data, and more. The rules and regulations for each segment are continually evolving, making it challenging for many organizations to maintain a strong security posture—especially as operational footprints and vendor relationships expand.
- Review your risk register. to help identify potential security gaps and manage them proactively. A risk register defines identified risks, rates their potential severity and impact, identifies possible solutions, and monitors and analyzes the effectiveness of any steps taken. Documenting information in this way can not only simplify the management process and make key information easier to find, it can also serve as a valuable roadmap for ongoing security issues that need prioritization. Do you know how much risk your organization can withstand, or what would constitute an enterprise ending event? You should!
- Make the necessary security investments. Invest now in ongoing system analysis and monitoring tools, automating where possible. Whether that means continually monitoring for baseline configuration drift, changes in access, or implementing other self-healing policies to correct the human errors that lead to non-compliance, do something today that improves your security and compliance posture. Yes, there are probably cooler, sexier things your organization could spend its money on, but when you weigh those options against the financial impact of a data breach and—potentially—the very life or death of your enterprise, the choice is crystal clear.
- Remember that this is a shared responsibility. The burden of security and compliance is not only borne by CISO’s. CFO’s, CEO’s, and the board must champion these efforts through financial support, resource allocation, project prioritization, and by simply providing the appropriate tone at the top.
Actual Benefits in the Long Run
In the long run, the benefits to a holistic approach to compliance far outweigh the satisfaction of the “certified” stamp of compliance. With technology advances in big data analytics and machine learning, it will become easier for audit firms to perform 100% testing—it’s only a matter of time.
Furthermore, as vulnerabilities are discovered and exploited, how long will it be before the resulting domino effect of damage will extend into losses of protection like cyberinsurance, if coverage providers choose to reject claims from organizations that are certified but not actually compliant?
While compliance is a critical component of security, it doesn’t ensure security. It will always take extra care and attention to stay ahead of the threat. However, enterprises that put data protection first and apply that same diligence to the entire organization will not only be closer to compliance, but also more reliably secure.