Over the past year, I’ve met IT pros, their managers and executive leaders around the world. I’ve met with execs from Dell, Softbank, Blue Cross/Blue Shield, NTT Japan, Northrop Grumman, Raytheon, Japan’s Ministry of Defense, Lockheed Martin, Tesco, the State of New Jersey, Target and other organizations. I’ve had the good fortune to talk with technicians and CISOs from many of these organizations, as well.
As I’ve spoken with various people, I’ve seen some organizations that are poised for success. They have the proper maturity of operations and a unique approach that make them good examples. I’ve seen others that, frankly, have a longer path to follow before they can say that they’re on good cybersecurity footing.
Does Compliance Inhibit Cybersecurity?
In late April 2019, I spoke at CyberUK, the United Kingdom’s largest government-oriented cybersecurity event, about ways that various organizations – public and private alike – have taken steps to escape what I call the cybersecurity metrics matrix.
I was lucky enough to have a very, very engaged audience. In fact, the discussion lasted long after my initial talk when I spoke with several folks at the CompTIA booth about a topic that I had mentioned quickly during my presentation.
I brought up the concept of compliance in a rather snide way. It’s one of the truisms in cybersecurity for people to take a bit of a dim view of compliance-based approaches. The general wisdom is that even though an organization might be, say, Payment Card Industry Data Security Standard (PCI) compliant, Health Insurance Portability and Accountability Act (HIPAA) compliant or even General Data Protection Regulation (GDPR) compliant, that organization can still get majorly hacked.
After all, compliant organizations have been hacked: Marriott, Equifax, British Airways, Managed Health Services of Indiana, Dunkin’ Donuts and many others were all compliant to various standards when they got hacked. The logic among some cybersecurity pros is that compliance can actually cause more harm than good.
I basically stated this idea, quoting a pen tester I know from MasterCard, who told me at RSA San Francisco 2019 that “the compliance industry has a lot to answer for.” Even though he ended his sentence with a preposition, I thought his statement was worth repeating. Quite a few folks at CyberUK agreed; I saw quite a few nodding heads.
This time, an astute audience member called me out on my observations, and she left me with quite a bit to think about.
Making Compliance Work for Cybersecurity
I can’t name the health care organization that she worked for, but I can tell you why she felt that compliance – if done right – can really work. I found her argument to be absolutely compelling.
As proof, she stated that her organization had made the following changes over the past two years:
- They hired a cybersecurity and physical security compliance officer who has complete oversight over the current network, as well as the physical premises of the organization.
- The CIO and CISO now have a dotted-line reporting relationship to the compliance officer, which means they oversee some of the compliance officer’s activities, but she does not fully report to them.
- All current – and future – network plans must be reviewed and approved by the compliance officer. The compliance officer I spoke with emphasized the importance of having someone who understands the implications of what is being proposed.
- All new hires must be reviewed by the compliance officer.
- Security analytics reports and pen testing results must be presented to the compliance officer for consideration and approval.
In short, this health care organization had created an office and officer that has the authority to approve or alter its physical and cyber assets. I’ve found this to be a relatively rare situation. While most organizations have compliance officers, they don’t all seem to have the kind of authority that she has.
She agreed that taking a checkbox approach to security never really works. But it’s also not quite fair to reduce the efforts of a properly enabled compliance officer to any checklist.
Avoiding the Compliance Checkbox Mentality
When I asked her how she avoids the checkbox approach, she said she uses several teams, including penetration testers and cybersecurity analysts quite heavily, to get the most context and perspective possible. This is why she made sure to talk with me about my compliance comments.
She loved my presentation about the need for using red teams and blue teams properly because it reflected her need to have proper context and improvement metrics. She was especially interested in my observations about how these teams are context engines that allow organizations and their leaders to create more situational awareness. Even with all the wonderful security controls and technologies, such as security incident and event management (SIEMs), most organizations struggle to create good context and metrics.
Over the past couple of weeks, I’ve had the good fortune to talk a bit more with that compliance officer. I’ve also had some time to really think about what a good compliance officer can do, as long as they are properly empowered.
I’ve concluded that compliance, if done right, isn’t all that bad. In fact, it can be very, very beneficial, as long as you use your teams correctly. Most organizations, I’ve found, don’t quite have the operational maturity for that – such as proper segregation of duties, for example. Still others struggle to review the metrics they’ve already set. Most still don’t use their teams correctly as context engines that allow them to really understand their exposure to security threats. But, I am confident that, at least this health care organization has things pretty well in hand.