Having served on a national information security standards working group, I’m keenly aware that compliance is a major driver — if not the primary driver — for security initiatives today.
Compliance rules work best when the threat for inaction is tangible and immediate. Usually, the threat is “we will fail external audit unless we comply with X” and thus management is highly motivated to comply with X, spending resources they otherwise would not.
There are many issues with this approach:
- The majority of small & medium businesses out there are not subject to periodic audit. Without the big stick of a negative audit opinion, compliance rules are routinely ignored.
- Initiatives are often designed to pass audit with the least amount of work. Little or no effort is expended in actually understanding the risks and designing controls appropriate for that level of risk.
- Within large enterprises with complex infrastructure, compliance teams and auditors can realistically only sample small parts of the overall system, leaving large gaps unexamined.
- Auditors are often too reluctant to “fail” an auditee if the auditee has appropriate “processes and procedures” in place. Auditors generally “believes” an auditee who says a pending issue is being addressed. However, often these processes and procedures only exist on paper, and sometimes no action is taken until an auditor starts complaining.
- As an extension to the above, often what’s being audited is only the paperwork (existence of standards, directives, design documents, change logs, etc.), not the actual systems in use.
- Compliance does not equal security. Standards, rules and regulations cannot replace common sense.
I could go on and on. None of these problems are new, mirroring issues with auditing in general.
Having said all that, I truly believe compliance-driven initiatives do help organizations improve their security posture. Even when companies just do the bare minimum required, that’s still more than doing nothing.