07
Jul
20

The Security/Compliance Disconnect

I was speaking with someone recently and they tossed out one of the most despised phrases I know:

“Compliance is NOT security!”

I told them to stop right there and take it back or our discussion was over.  Since they really wanted my opinion on the actual topic at hand, we continued.  But I felt the need to explain why I find this statement so repulsive.  Which, by the way, has nothing to do with being an auditor.

The first point I make when discussing this phrase is about security frameworks and that they are merely the foundation for a good security program, not the whole enchilada.  They are only the starting point and that great security programs must go well beyond these frameworks.  The bottom line is that achieving compliance with any security framework means your organization can execute the basics consistently.

The next important point I like to make to people who spew this trope is that if they read any of the data breach or security reports from the likes of Verizon, Trustwave, Security Metrics or any other recognized security company, what do you see?  That the organizations breached could not comply with any of the recognized security frameworks be it PCI DSS, CoBIT, NIST, HIPAA, pick your poison.  Unfortunately, as these reports point out in annoying detail, organizations rarely execute the basics consistently because if they did, they would likely not have been breached.  Which really punches a huge hole in the whole compliance does not equal security argument.

Another point about this statement is that organizations high five over being compliant with a security framework when it really means that they are mediocre at best.  Yet time and again I hear back after PCI assessments that management is so proud that they were assessed compliant.  “Yea, we achieved mediocrity!”

Finally, there is how do you measure how well your security program is operating?  You must have a “yardstick” of some sort and to do that, so you need one of the security frameworks as your yardstick.  Given that these frameworks are only the basics, you need to add in all the additional controls your organization has in place that go beyond the framework.  That activity typically identifies a huge gap in the security program – there are few if any additional controls.  So, there you sit with say the PCI DSS as your “yardstick” and your organization cannot consistently execute the basic security controls in that framework.

Yeah, that is it!  It is the yardstick’s fault!


6 Responses to “The Security/Compliance Disconnect”


  1. 1 J.C.J.C.
    July 8, 2020 at 9:49 AM

    Perhaps the saying should be “Compliance is the lowest acceptable bar of security”

  2. July 8, 2020 at 6:39 AM

    I have heard this many times before, and I have used it myself. Personally, I have always thought of compliance is the “you must be this tall to ride” sign at the amusement park.

    That said, my thoughts are similar to yours, e.g., compliance with a framework is just the start and not the be-all and end-all. I think the challenge lies in the additional controls that need to be added. I also think some frameworks “get” this concept better and get to maturation as opposed to “ticking the checkboxes.”

    • July 8, 2020 at 7:28 AM

      There is no doubt that some frameworks are more complete than others. NIST gets a lot of grief over SP800-53. But people forget that NIST is a “peel the onion” framework and that there are a LOT of other SPs issued that drill ever deeper into information security. If people truly followed the complete NIST framework they would be forever assessing themselves and seeing all of their control failures.

  3. 4 samcontrolscan
    July 7, 2020 at 3:01 PM

    Bravo! This phrase drives me nuts as well! It’s about time someone had the cajones to stand up in defense of compliance. It is not an end-all-be-all, to be sure, but it excessively arrogant (and ignorant) to be so dismissive of security frameworks. They are not only essential for organizations in pursuit of a mature security program, they also serve as a common lexicon and reference point for industry discussions on important security topics and best practices.

  4. 5 Cory
    July 7, 2020 at 2:53 PM

    Interesting twist. I use that comment all the time to say that we need to do better than just being compliant. I guess I just assumed that other people used it the same way.

    • July 8, 2020 at 7:24 AM

      Nope! They use it to dismiss the very thing that they should be following for the basics. The real problem in information security is that only a small percentage of organizations can do the basics consistently. And even then, they get breached. Prime example of this is Target. At the time of their breach, they had one of the best infosec operations around. But because of a really skilled attacker and misunderstandings about their environment, they still got breached.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

July 2020
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,281 other followers


%d bloggers like this: