I used to work with a guy who was significantly overweight. I ran into him in the cafeteria one day and he mentioned that his doctor recommended that he eschew large lunches in favor of lighter foods like salads. He proceeded to the salad bar where he buried a few greens, onions, and tomatoes under a mountain of cheese, deli meats, and blue cheese dressing.
So my fellow employee was complying with his doctor’s recommendation to eat more salads but his methodology wasn’t going to meet the doctor’s objective of improving his health.
This little story is a good analogue for the growing gap between regulations and cybersecurity. Clearly, regulations like California SB 1386, FISMA, HIPAA, and PCI DSS were designed to help protect the confidentiality and integrity of sensitive (and valuable) data. This worked to some extent as it forced organizations to improve information security processes and invest in new cybersecurity technologies in order to adhere to regulations and pass regulatory audits. Unfortunately regulation also led to a few unintended outcomes such as:
1. A regulatory compliance-focused industry. Somewhere around 2006, the information security was absolutely gaga over regulatory compliance – especially PCI. This was especially true with regard to SIEM products which were being redesigned to collate log file data into slick looking compliance reports.
2. A “check-box” mentality. During the same timeframe, it was fairly common to see information security professionals running around the enterprise with clipboards. The goal? Make sure their security controls were compliant with multiple regulations. Some security professionals in the Federal space admitted to spending more than 50% of their time engaged in these types of check-box exercises instead of bolstering defenses, learning about new threats, or improving incident detection.
These issues may seem mundane but they come at a cost. When cybersecurity best practices give way to regulatory compliance, we find ourselves chock full of clipboards and pretty reports but extremely vulnerable to social engineering and advanced malware attacks.
Many organizations now recognize this regulatory compliance conundrum and are responding with their pocketbooks. New enterprise investment in cybersecurity is now driving innovation in required areas like Advanced Malware Detection/Prevention (AMD/P, Damballa, FireEye, Sourcefire, and Trend Micro), big data security analytics (IBM, LogRhythm, PacketLoop, RSA Security, Solera Networks), and continuous monitoring (FireMon, Red Seal, Symantec). Compliance is still there but it no longer plays a starring role like it once did.
Regulatory compliance can be a good thing if it forces a lethargic and indifferent population of organizations into action. Over the past few years however, regulatory compliance turned into an end rather than a means to an end (i.e. improving information security). Since there was a ton of money involved, the entire information security industry became complicit in this misguided detour. We are now going through a costly transition from compliance to real information security best practices and technical defenses. In other words, we may be compliant but our actual cybersecurity defenses and processes are pretty weak -- and it's gonna cost a ton of dough to fix them.
My old colleague recognized the errors of his ways, has taken on a few lifestyle changes (i.e. diet and exercise), and is now much healthier than ever. Let’s hope that the cybersecurity community can make a similar transformation before its historical unproductive adaptation of compliance leads to further waves of cybercrime, hacktivism, and business disruption.