One of the most concerning trends for 2016 seems to be "Another day, another healthcare data breach." Breaches are becoming an all too regular occurrence and not just among healthcare providers. Retailers, credit and financial institutions, entertainment giants, and even governmental agencies are falling prey to the hackers, and in many cases are allowing access to very private customer data, at an alarming rate.
Companies scramble to meet their compliance audit deadlines; however, the number of breaches continues to rise. Contrary to compliance goals, all too often, companies’ compliance efforts become more like earning a "participation trophy." These companies skate by on the pretense of security because they checked all of the boxes on a form, instead of truly making strides to better their organizational security postures. However, the stark reality is that they’re kidding themselves and instilling a false sense of confidence in their security, rather than exerting proper effort to truly accomplish their goals.
Compliance alone won’t win you any awards
Why compare this to a participation trophy? Ultimately, it boils down to the fact that compliance alone won’t win you any awards. In terms of the security game, threats are still present, and breaches can still occur. Sol Cates, Chief Security Officer at Vormetric, voiced what most IT security industry insiders already know:
|“‘My company is up-to-date on compliance standards,’ you say. Congratulations! You can avoid government fines for at least another year. But if you really think being compliant means your data is safe, you my friend have another thing coming.”|
It's understandable that companies desire to meet compliance standards. After all, acknowledged compliance is good for a business, as customers look to companies for transaction and data security. But even more prevalent to their thinking, compliance also helps to prevent companies from paying regulatory fines, which can set them back tens (or hundreds) of thousands of dollars for each incident or exposure that may occur if compliance isn't met. Additionally, when reports of non-compliance or actual breaches are disclosed publicly, companies lose credibility in the industry and customer retention rates may suffer.
The fact is, compliance is really only a single piece of a company’s much broader security posture “puzzle.” Without all of the pieces placed correctly and working together in unison, the picture isn’t complete. Thinking of these puzzles like a game, one can easily ascertain the trophy analogy. While these are games that all organizations MUST play, settling for the participation-only award simply leaves security flailing in the wind.
Truth be told, data is big business. Nowadays, considering Internet of Things (IoT) devices, mobile and handheld computing, and even automated telephone bank tellers, literally everyone is using some company's data store, sometimes multiple times per day.
Every company wants your business, and those same companies typically want to gather your data. Their sales and marketing efforts rely on big data because their advertising can be tailored to better suit their target markets. Additionally, business partners often share data between themselves, in order to facilitate cohesive customer experiences and establish trust between their services or products. However, with this data warehousing comes responsibility, and with that responsibility comes work.
A reactive approach is a losing strategy
Earlier, I'd noted that compliance is only one piece of the puzzle. In fact, looking at it closely, it's the most reactive piece of the puzzle. A good security posture is built from many pieces, such as policy, procedure, analysis, and compliance to name a few.
Policies and procedures are proactive measures, intended to set the tone early in the process, so as to establish consistency and baseline activity for securing the environment. This makes security easier to maintain from the onset. Typically, analysis is both proactive and reactive. For instance, proactive analysis may be looking at new technologies and ensuring those are developed securely.
Reactive analysis might include reviewing a breach in order to determine the “how's and why's” that it occurred in order to remediate the situation from future occurrences and minimize damages. Compliance tends to be reactive in nature, in that to comply with a rule or regulation, that regulation or rule must already be clearly defined.
Therefore, by nature, if an organization's efforts are focused on compliance and do not account for the other pieces of their security puzzle, they are not effectively playing the game with a winning mindset. They lack focus and strategy, problem-solving skills, and awareness of new and emerging threats and threat actors. Their focus is too narrow, and while they may earn their participation trophies in the short-term by erring on the side of cautionary compliance through successful audit results, they fall behind the curve, eventually losing not just a single level or two, but the entire game. Not only that, but they may never be welcomed to play the game again.
Companies need to take a more comprehensive and forward-looking approach to their security, that includes their data and their entire solution stack. They need to continually test and evaluate existing, as well as new and emerging products, such as identity and access management solutions, that not only adhere to standards, but allow for flexibility and room to grow in order to accommodate future security initiatives. Information security teams must remain focused and vigilant, accounting for the latest threats and advisories and have the tools at their disposal to effectively manage the environment.
Finally, a well-rounded security mindset must begin with C-level management and should incorporate all aspects of both proactive and reactive security. As this mindset flows throughout the organization, all employees become involved, and a strong, security-focused team will emerge, with a drive to win.