Most people consider regulations in technology a success, but the measures they use are odd. Clearly, regulatory efforts have created quite an industry. There are whole worlds of consultancies, programs, and software sold based on the need to be in compliance. Many organizations feel that they will mitigate their exposure to data assurance problems by meeting provisions in the regulatory compliance guidelines.
Just like almost any diet will result in better eating through paying attention, the effort to meet compliance goals has likely improved many things in IT. For issues like privacy and accounting, where the process is the point, compliance has been a true solution.
This compliance approach is often suggested for IT security. After all, some surmise, security consultants are always talking about policies just like regulatory advisors, right? We can see this happening again in the UK with the recent report dealing with the massive, public breach of the TalkTalk system that held headlines for a while.
There are serious issues with treating IT security as a set of policies. They can all be captured in one thought – security is a battle, not a concept. If you go to battle with a plan, and never alter that plan when you find the facts on the ground have changed, you will lose. If the enemy gets your plan, then the enemy can counter it perfectly. If the senior generals feel the plan is done and the battle is won before the shots are fired, then there will be nothing you can do to get them to authorize tactics that may swing the tide when needed.
Compliance is Always a Race to the Bottom
When you’re in the mindset of compliance, often the enemy is simply complacency. Why do people handle data in irresponsible ways? Usually because they are too lazy to do it the right way. The regulation lays out what they must do and settles the debate.
“That sounds an awful lot like security to me,” says almost every executive. The difference, of course, is that when you handle data irresponsibly from a regulatory view, your “adversary” is the auditor who may notice months from now, or the consumer who may be harmed by the action. Neither is actively looking to exploit you right here, right now. In security, the bad guy is always there waiting to pounce.
Maybe that sounds overly dramatic, but the facts on the ground say it’s the case. How can you react to that reality? What you simply cannot do is take the “compensating controls” approach that is the hallmark of compliance.
Essentially, organizations will do implicit or explicit math about the financial risk of being out of compliance. The expediency of doing things the “wrong way” may offer and optimize the best outcomes regardless of what may be the “right” thing to do. This is the essence of profit motivated thinking, and exactly what we should expect any corporate entity to do. It’s also exactly why we can’t treat security this way.
Security will never succeed as a practice that does the absolute minimum. Adversaries are waiting to pick out the targets that have done the minimum and make them pay dearly.
Bad Guys Like Shortcuts, and Security Regulations Provide Them
Picture the classic “hacker” image: some youngish, scruffy man sitting at a messy desk in a dark room with a lot of monitors, cycling through unfamiliar looking windows of scrolling text and incomprehensible images. Now he looks at the screen in front of him, pulls up a web browser and googles your organization’s website. He pulls up your site, goes to the “About Us” page, and sees logos you proudly display of the security regulations you comply with. A smile cracks across his face. Now he knows exactly how to get you.
Of course, this image is so far out of date as to be dangerous. But it communicates the important point that if security were like regulations, then the bad guys could find out which ones you use, select attacks known to work against such regulations, and attack.
“We always do more than the bare minimum” some may object. As we just discussed, the facts don’t bear that out. So security regulations would make most organizations potentially more vulnerable. Not less.
Security as Regulation Takes Executives off the Front Lines
The need to have executives on the front lines in IT security is well-covered territory. Executives need to be involved to ensure that the authorization to act is never far from hand. While executives are often very interested in regulations that may lead them to jail time, they aren’t involved in the day to day actions of the teams dealing with compliance.
That disconnect from the day to day operations may make sense when you can measure cycles of audits in months, but when the enemy is attacking every minute of every day there is no time for can kicking when it comes to making decisions.