Is being compliant same as being secure? Which one is more important? I have faced this question number of times, either in networking dinner, or on lunch table or having a conversation with executives in an open environment. Consider your business is compliant with Personal Card Industry – Data Security Standard (PCI DSS), ISO 27001 compliant or compliant with all internal Information Security Policies and Standards. And, a news of a security breach (e.g. Sony or HMRC) hits headlines, and you face a question from an executive member, “Can this happen to us?” What is the answer that you will give to your board? If you say “Yes” it can happen to us, the next logical conversation would be, aren’t we compliant? Didn’t we spend X million to become PCI Compliant or become ISO 27001 certified?
Compliance and Security go hand in hand. But they are not one and the same thing. Being Compliant does not necessarily mean being secure.
Global Payments Breach was one of the big ones in 2012 that caught everyone’s attention. Global Payments lost almost 1.5 million card details; it could be more because Global Payments didn’t disclose exact numbers yet.
Recently Global Payments disclosed that associated costs of that breach so far is $93.9 million – but it will be more. What’s really interesting is that, only $2 million has been received from insurance companies. Guess what, Global Payments was PCI DSS certified. Did it make them secure? Why did that breach occur if they were PCI DSS compliant?
PCI DSS is “highly prescriptive in nature, but simply complying does not ensure security of cardholder data and makes an organisation secure. That’s what I like to call “False Sense of Security”. Being compliant does not make you secure. Compliance in not necessarily a bad thing. It becomes an issue when organisations simply rely on compliance to standards like PCI DSS to define their security measures and security posture.
We are in a tough business climate facing significant cost pressures. Budgets are lesser than ever before and business landscape is changing very rapidly. Today’s reality is that Information Security function is required to protect an organisation’s critical assets in hugely complex environments that include distributed and interconnected systems. The concept of network boundary is slowly diminishing with the introduction of cloud computing and consumerisation of IT.
Today we are faced with increasing challenges and constantly emerging threats are making our goal of “protecting our organisation and its critical assets” a bit more difficult. Not to add to the pressure, we are under constant pressure to reduce operating cost.
Reality is that regulators will not be able to move fast enough to catch-up at industry pace to define compliance requirements in this new world. Does that mean we will wait for regulators to define compliance requirements by learning from incidents and mistakes made by organisations? Organisations that rely on Compliance to drive their security initiatives will be left behind in this journey and may be at higher risk than organisation that practice Risk based Security.
Interestingly enough, there is NOTHING like 100% security in the real world. There is always going to be a situation where we will have limited amount of resources and we would need to take a judgment call on what controls and measures matters most and give best ROI. It’s important for all security functions to think about what future looks like for their business and define practical and pragmatic security measures and controls suitable for their business in this fast changing landscape.
Being compliant should be the by-product of having good security controls in place and not other way round. Organisations need to implement effective and pragmatic security measures within their risk appetite. While doing so, we need to ensure that a subset of THOSE security controls provides compliance required for regulatory and compliance requirements.
Unfortunately, reality of the world is that number of organisation do the minimal required to be compliant and constantly ignore the fact that they need to be proactive and have robust security measures in place to address existing and emerging threats.
Security is not a destination, it’s a Journey. Whereas Compliance is a Goal. Being compliant should be the by-product of having good security and not other way round. Picture says much more than the words and this picture from Javvad’s Video Blog sums up this argument very well.
On 17th January 2013, I gave a BrightTalk on the same subject “Is Being Compliant = Being Secure? Is One More Important Than the Other? Feel free to listen to my BrightTalk and don’t forget to provide feedback 🙂