Most of us have gone through the shocking realization that compliance certification does not mean that our environment is secure. We are forced to remember that security and compliance are different results. The question that comes up is: Is the compliance certification worth the effort it if it does not provide security? To answer this question, it is important to understand the relationships that can develop between security and compliance. There are 4 combinations of relationships.
In the first scenario, the enterprise is neither compliant nor secure. Security compliance is not mandatory and the team took advantage of this factor. It was only the huge impact of ransomware that revealed the need for compliance and security in the environment. The executives had a limited view of importance of data security with painful results. The recommended resolution for this issue is that all responsible organizations need to understand that security is an obligation to customers.
In the second scenario, the enterprise is secure, but not compliant. The organization being examined was defense-related and secure in a limited way. The company had the latest firewalls. They were, therefore, surprised when the organization lost data due to malware. Data security is based on a combination of people, processes and technologies working together to provide a better security posture.
In the third scenario, the enterprise is compliant, but not secure. The organization’s sensitive devices, i.e., point of sale devices, were secured by locks and monitored by cameras as was required by the Payment Card Industry Data Security Standard (PCI DSS) compliance requirement. The organization, therefore, met the compliance certification conditions. However, the locks were of lower quality and were easily opened, and the camera resolution was so bad that nothing was recorded in the darkness. Root cause analysis shows that the organization had installed locks and cameras thus meeting the security standards requirements, but by opting for cheaper options, it had disregarded the spirit of the framework. The recommended resolution for this scenario is that an organization should aim to satisfy the spirit of the security standard by using quality controls.
In the fourth scenario, the enterprise achieves the the ultimate goal—combining compliance certification to achieve maturity in security. This enterprise maintains an active compliance status supported with a culture of security. The steps to achieve this synergy are:
- Achieve compliance certification.
- Obtain support from executives.
- Do a self-assessment of your status quo.
- Create a roadmap.
- Bridge the gap by remediation.
- Evolve from formal certified compliance by implementing data security at a program level.
- Adopt and create a governance model.
The ransomware-like breaches that affected even organizations that were compliant has made it relevant to review the relationship between formal security certification and actual security status. We can learn to synergize the power of both strategies by using certification as a milestone on the strategic roadmap to security state. Instead of thinking in terms of security versus compliance, a better option is to achieve security via compliance.
Read Tony Chandola’s recent Journal article:
“Compliant, Yet Breached,” ISACA Journal, volume 5, 2017.