Compliance: Necessary But Not Sufficient (for Security)

Compliance is (or should be) a big dang deal for data center service providers.
But it’s also important to note that compliance is not nearly sufficient to ensure security.
It’s like having a lock on the window: it’s great that you have one, but do you always use it when your window is closed?
And what do you do to ensure security when your window is not closed?
Article by Tony Bradley in CSO Online.
Emphasis in red added by me.
Brian Wood, VP Marketing

IT security spending continues to increase, but does that matter?

Canalys projects global IT security spending will rise by more than $30 billion in the next four years, but that doesn’t necessarily mean we’ll be more secure.
Good news for the IT security industry! Canalys just released a report projecting that global IT security spending will increase by more than $30 billion by 2017–an annual compound increase of 6.6 percent. W00t!
According to Canalys, IT spending overall will continue to decline as a function of the struggling global economy, but investments in network and data security appear to be immune. Medium-sized businesses are a driving force behind the projected growth in Canalys’ prediction. The Canalys press release explains, “Medium-sized businesses are prioritizing more of their IT budgets and resources to ensure their businesses are compliant with various data protection regulations.”
Ah, is that what this is about? The old compliance game?
Don’t get me wrong. Organizations must and should comply with the regulatory and industry mandates that apply to their respective businesses. Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI-DSS), and more regional, federal, state, and industry requirements all serve some purpose and place a burden on the affected companies.
The problem is equating “compliant” with “secure”. It may be better than nothing, but just because an organization is able to check off boxes and pass an audit doesn’t mean their network is impervious or their data is invulnerable. Compliance frameworks are generally baseline, lowest common denominator approaches to ensure some degree of security and data protection, but they are by no means a silver bullet.
The danger with compliance as a driver of security reminds me of taking my kids to a public pool. The lifeguards told us we weren’t allowed to use our inflatable pool toys. I assumed it simply had to do with not wanting a thousand kids with obnoxious inflatable ducks paddling around, but I learned that the real reason had to do with not wanting to create a false sense of security. The pool had no issue with people using approved flotation devices–the kind that are certified to protect lives and prevent drowning–but their fear was that a parent would consider their child who doesn’t know how to swim to be “safe” in an inflatable device that can’t actually save their life. The parent might then lower their guard and not pay attention.
That’s compliance–a non-life saving inflatable pool toy. It can actually do more harm than good because executives and IT managers get some sort of false sense of security from passing a compliance audit, and then stop paying attention to what matters.
Even if it’s not all about compliance, spending more money on security tools and platforms also doesn’t inherently make an organization more secure. The reality is that almost every company can make dramatic improvements in security by properly configuring and utilizing the tools they already have, and by implementing and enforcing better policies.
Kevin O’Brien, enterprise solution architect for CloudLock, agrees. “Security is not about spending; what drives budget for security software and platform investment is a broader change in environment, rather than buying more or new versions of existing point solutions.
Jason Wong, director of product marketing at SilverSky, feels that spending on IT security might actually be a good idea–as long as small and medium businesses are investing in manage security services rather than trying to do it all themselves. “In order to improve security, companies need to start getting out of the business of running it themselves. Security is more complex and resource-intensive than ever. Many SMBs are already using managed security service providers (MSSPs) and increasingly larger businesses should leverage the expertise and know-how that these vendors offer. If you have to secure your house, would you want to build and maintain your own complex alarm system or would you rather hire a security services company for a flat monthly fee?”
O’Brien points out that there are legitimate changes in technology that might drive IT spending in general . The shift to BYOD, cloud, and virtualization are all things that companies probably hadn’t considered when investing in their current IT infrastructure and security solutions even just a few short years ago.
That still doesn’t mean that solving the problem is as simple as throwing more money at it. O’Brien says, “Unfortunately, security is often an after-though, driven by audits and statute rather than taken holistically. The reason those compliance-related events occur is that organizations are supposed to be respecting the ethical and legal requirements that define how they handle sensitive data. In practice, little effective action is seen until there is a “compelling event” that mandates a change, and the simplest type of change to effect is to buy something.”
So, the IT security industry can rejoice over news that cash will apparently continue to flow for the foreseeable future. But, CSOs and other company executives should perhaps take a step back and view the problem more holistically. Rather than achieving compliance to pass an audit, consider what it takes to actually secure the network and protect the data.
The goal should be to achieve the spirit of the law–security–instead of the just shooting for the letter of the law–compliance.