Information security is a tricky field. Not only is there a constant stream of exploits that need to be guarded against, but even such basic concepts as what security is and how it can be implemented are fuzzy in many people’s minds. I’ve often wondered about the place of a compliance program in the larger arena we call information security.
Many large organizations are required to comply with various requirements involving people, processes, infrastructure, and technology to operate within the industry sector they target. In its simplest sense, compliance is a series of checkboxes that a business or organization is required by law or industry certification to tick off. But as every IT professional knows, IT security is a lot more than ticking off checkboxes. So while compliance and security are related, there’s clearly some difference between them. To help me understand this better, I recently talked with someone who is knowledgeable in this area. Andrew S. Baker is the president and founder of BrainWave Consulting, which provides cybersecurity and technology consulting services for small and medium-sized businesses. Below is what I learned from Andrew concerning the overlapping roles of an information security program and a compliance program in IT operations.
MITCH: Andrew, I’ve heard you say that a compliance program is not the same as an information security program, even though many people believe the terms to be synonymous. Both of these programs, however, have an important role to play in the success of an organization. Tell us first a bit about some of the compliance issues that IT has to deal with these days.
ANDREW: Over the past decade, we have witnessed a steady stream of security breaches to organizations large and small, and each year brings an increase in the magnitude and frequency of these breaches. Because of this growing problem, various governments and industries have established and promoted data-security and data-privacy compliance standards in an effort to assure their citizens, customers, and businesses that their data can be kept private and managed securely.
There are all sorts of compliance standards, addressing all sorts of organizations, industries, and regions of the world. In the United States, many people will be familiar with the following:
- SSAE18 System and Organization Controls (SOC) (formerly the SSAE16)
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST-based standards such as FISMA, Risk Management Framework (RMF) and FedRAMP, which will be familiar to those who work with the US Government
Internationally, there is the ever-popular ISO 2700x family of information security controls.
However, the compliance standard that is currently dominating the business and technology news is the EU General Data Protection Regulation (GDPR), which is set to go into effect on May 25. Because it affects every business that manages any data of EU citizens, and because it has tremendous fines and penalties associated with noncompliance, it has garnered a great deal of attention — and angst.
MITCH: So if I hear you correctly, you’re saying that compliance does not equal security but that both are needed as far as IT is concerned.
ANDREW: While compliance programs are definitely related to information security programs, they are not the same thing. This may surprise many people, but I will make an effort to highlight the differences below. For the purposes of this article, we will use the term “information security” as an umbrella for physical security, data security, and data privacy.
The purpose of an information security program is to provide a framework for implementing and monitoring all elements of data security in an organization or environment, including policies, procedures, technical controls, and overall governance.
The purpose of a compliance program is to provide a consistent framework for evaluating an organization’s adherence to an information security standard by an accredited third-party assessor or auditor.
Again, compliance programs are not quite synonymous with information security programs, and strict adherence to a compliance standard will not automatically result in an organization being more secure. It is also fair to point out that just because your organization maintains a high-security posture, it does not automatically follow that your organization will pass the audit of every random compliance program. Alignment of compliance and security requires planning.
If we were discussing education, we could think of an information security program as having an excellent curriculum for some set of studies, say, physics, whereas a compliance program is more akin to having national standardized testing. I think that most people will agree that the ability to score well on standardized tests is not necessarily indicative of possessing a thorough, well-rounded education.
MITCH: If compliance is so important for businesses and organizations, why isn’t achieving it the complete answer?
ANDREW: Here are some characteristics of compliance programs that make them incomplete when it comes to having an excellent security posture:
- They occur on a periodic basis.
- They are often grand exercises in spot-checking.
- They often go for years between revisions and updates.
Compliance audits are very likely to be performed on an annual basis, with some of the more mature programs requiring additional checks quarterly or semiannually. Given how labor intensive compliance audits can be, it is not surprising that the auditors and audit victims are not keen to have them done more frequently.
When conducted, compliance audits are often performed using a subset of sampled data, and they often focus on a specific point-in-time. If an organization is lucky, the subset of systems chosen for review could be the very best ones, with the best documentation and that would lead to a good assessment — but not necessarily an accurate picture of the entire security posture of the organization.
Finally, it takes time for the standards to be updated to address the threats and risks that organizations are facing each day. Compliance standards can go for three to five years between major updates, and quite often they go for more than two years between even relatively minor updates. This is not surprising, as it is quite difficult to evaluate an ever-moving target, and compliance is primarily about the ability to consistently evaluate against a particular standard.
A compliance program should be a superset of an information security program, but that is not how it usually plays out in real life. In many cases, compliance just becomes the checklist that the organization pays attention to, with the least amount of effort and attention possible.
On the other hand, the bad actors trying to break into your network have no qualms about engaging in more frequent attacks. They find “hourly” and “daily” to be more suitable to their objectives than “monthly,” “quarterly,” or “annually.”
The bad guys are not spot-checking your environment — they are looking for the weakest link. And when they find it, they will look to exploit it for maximum benefit to themselves.
MITCH: How do you get the best of both worlds: security and compliance?
ANDREW: A good information security program is designed with the following goals in mind:
- Must be tailored to the risks that your organization faces.
- Must provide real, tangible benefits to the organization.
- Needs to be measurable and auditable.
- Focuses on people, processes, and tools.
- Is well-integrated with business processes and activities.
Because there are fines and other penalties associated with many compliance standards, organizations are more apt to implement them than they are to just go out and establish a robust information security or privacy program.
It is better to design a comprehensive information security program that is sensibly aligned with the relevant compliance standards that your organization is subject to than to put all your focus on barely passing compliance.
To continue with my educational analogy, a robust, well-rounded education is of much more value to you long-term than is the mere ability to pass selected standardized testing.
Organizations that focus on implementing and maintaining a strong information security program in order to be good stewards of the data they possess (whether for customers, business partners, or their own employees), will be better able to mitigate new cybersecurity risks and to adapt to new compliance standards. In the long-term, they will spend less money on their information security program than those organizations that are just chasing compliance.
MITCH: Thanks, that helps a lot. Anything more you’d like to add?
ANDREW: A good information security program will greatly reduce the risks that your organization faces in managing corporate, customer, and partner data. A good compliance program, on the other hand, will give interested third parties (employees, customers, partners, industry regulators, government regulators) some assurance that you have a good information security program in place. In other words:
Good Security + Good Compliance = Better Business Opportunities
It is worth doing them both, so long as you do them wisely. This means you need to:
- Understand your business and its risks.
- Evaluate best practices that make sense for your organization.
- Review the compliance standards that are mandatory or simply valuable to comply with.
- Tailor your information security program to address the above, as efficiently as possible.
- Reassess on a regular (continuous) basis, and adjust as needed.
- Stay out of the new for cutting corners or underestimating risks.
It is possible to do well in school, for example, if you pay more attention to learning rather than test-taking. In a similar way, it is possible to do well in information security and risk mitigation if you pay more attention to having a solid information security program than on barely passing compliance.
Doing it right always costs less than doing it wrong, in the longer term. Remember, breaches are only going to get more extensive and expensive.
Photo credit: Shutterstock