HIPAA, GDPR, PCI, CIS, NIST. Does any of those acronyms sound familiar? Chances are, you’ve heard of several and have a general understanding of what they’re all about. For those that don’t, these are examples of regulatory compliance frameworks, and their aim is to provide policies and processes for security controls and best practices so that organizations can more effectively minimize security risks and privacy threats.
The ideas within these frameworks are so important that they’re often required by central governments or industry-specific groups, and the potential penalties for non-conformity can run well into the millions of dollars (and even into the billions in extreme cases).
With that in mind, one might assume that full conformity to these standards and regulations would result in their digital infrastructure being totally and completely secure – certainly enough to keep out today’s most common threats. Yet, if you were to put on the news this evening, there’s a good chance you’ll see yet another story about an organization that has fallen victim to a data breach – even though it complied with the applicable compliance framework.
So, how can this be? And how should businesses approach the relationship between compliance and security?
Compliance is Critical
In order for businesses to safely provide their services, they absolutely need to comply with a regulatory framework that corresponds to their specific industry and the type of activities being performed. This will dictate the type of framework that should be used, such as data protection, health information, credit cards, etc. Some examples include:
- To hold patient data in the USA, you must be HIPAA compliant.
- To perform card payment transactions, you must be PCI compliant.
- To store or transfer the personal data of EU citizens within the EU, you must be GDPR compliant.
If you aren’t compliant, then you will not be approved to provide the corresponding services. Just imagine if a social network could no longer store personal data or if a health provider couldn’t store patient information – their business operations would immediately come to a halt and they’d be in big trouble.
What Do Compliance Frameworks Actually Achieve?
At first glance, one might assume that the framework is here to help protect the organization itself by providing the processes and procedures necessary for a secure digital environment. This can also be validated via auditing and reporting to show that certain protection levels are being achieved. However, when you take a deeper look, it becomes apparent that the main reason for these frameworks isn’t to protect the organization itself, but rather the data that’s being stored and/or transmitted within.
The ongoing digital transformation we’re experiencing is showing no signs of slowing up and has permanently altered the business landscape as a result. Data has never been more important or valuable – there are now businesses that are literally built around data – but its important to remember that the organization and its data are still two distinct entities that each require attention.
If that’s the case, however, then why employ a shared framework? Try to think about it this way:
Say you have a business with multiple physical sites and data is being shared between them. One of these sites burns down while the rest of the sites remain operational. You and your data are intact. There could be a minor downturn for a while, but the business can continue to operate as usual.
Now imagine that same business has a data breach in which customer data was leaked. While there was no physical damage, this event will have a much bigger impact on the business and its ability to continue operations as normal. There could be negative media attention, you will have to address the event and its impact with your customers ASAP, and depending on how the situation is handled – it may or may not affect your reputation or lead to legal action.
Both scenarios are devastating to any business but in different ways. A digital loss isn’t insignificant just because you can’t see it or touch it in person like you would with a damaged building. On the contrary, digital loss can have a much more severe and long-term impact.
The Compliance Mindset
Compliance is a big job, make no doubt about it. It’s a critical task for the business and sufficient time should be taken to do it right. And considering that to undertake business in specific industries and locations, you won’t have a choice and will need to abide by the regulations no matter what, else you’ll suffer fines or even the complete shutdown of your business. Thus, it is paramount that compliance is achieved, proved, and maintained.
Because of this, many people adopt a compliance-first mindset for cybersecurity, meaning that your decisions are focused on the frameworks and maintaining compliance. This may put any other cybersecurity initiatives in second place. This compliance mindset, whilst fine and often necessary to carry out business, can sometimes be highly restrictive, slow, and inflexible.
Each regulatory framework takes a vast amount of time to implement from the ground up and then to update, meaning that by the time a framework is released, it is already out of date to the latest threats that are out in the wild. Whilst eventually these new threats will be covered after an updated framework version is released, there will be another set of threats, and on and on it goes.
Technology moves far too fast for these regulations to keep up, often focusing on generalized best practices (i.e. have an EDR solution, use MFA, etc). Regulatory bodies are simply unable to identify and provide guidance on every threat faced. The biggest reason for this is that they do not know your organization, or any other specific organization. Each organization will have different technology stacks, locations, user bases, customer bases, and whilst they might operate in the same section, they will be fundamentally different.
With a compliance mindset, you may be focusing on ticking the regulatory boxes but may neglect to explore additional opportunities for protection whilst achieving, proving, and maintaining compliance.
A secure mindset is focused on achieving the best possible security posture for an organization within the confines of its business operations and finances. Working with best practices, knowledge, and experience rather than being guided by compliance frameworks can allow for a stronger security posture to be created when compared to a compliance-driven approach. With a secure approach, you will naturally complete compliance controls as you are implementing a stronger posture than what is typically required.
This isn’t to say that you will be able to tick off all of your regulatory checkboxes just because you are being “secure.” But it will get you down the line with wider business-impacting results than when just focusing on compliance.
It also doesn’t mean that someone with a secure mindset is less familiar with the regulations that their organization must adhere to. Likewise, someone with a compliance mindset may not know how to make things secure. They both have the same aim but are coming at them from different directions, with their own set of limitations.
Is Regulation Itself a Problem?
In a heavily regulated organization, such as a bank or a health care provider, regulation and compliance are king, and you have no choice but to put them first.
This has an undesired effect on any additional cybersecurity improvement initiatives, given they must compete for funding and scheduling against business-critical compliance programs.
As the organization’s ability to carry out its business is heavily dependent on it achieving compliance, it is only natural that financial controllers assign more importance to this than maintaining a strong security posture. Ever noticed that it is the heavily regulated sectors that are most often in the news?
By constantly chasing compliance, you’re chasing controls that are already out of date and it is a catch 22 which you can’t escape. Be compliant and be less secure or be more secure but not compliant which results in fines and affects business operations. You will be found out for not meeting compliance and suffer, or you might be breached before you can afford to upgrade your posture, again you can see why these decisions go the way they go.
Necessary for the Common Good
Regulations aren’t going away any time soon, in fact, more are on the horizon, but that doesn’t mean our approach to how we go about achieving compliance needs to stay the same.
By injecting more security posture considerations (secure mindset) into your decision-making processes, you can start to blend the organization’s security posture and compliance requirements. This makes for a more organic process of achieving compliance whilst continuing to improve your security posture. Take as much time reviewing and protecting the areas of your business that don’t directly fall under compliance controls as those that do, chances are these are going to be the areas where you will get breached from.
It’s good to keep in mind that being compliant and being secure are two fundamentally different things. Once you get audited on and checked on regularly, the other is only proven insufficient when you’re breached, completed audits count for nothing at that point. Compliance provides cover against regulatory risk, but businesses are exposed to other risks due to business continuity, operational risks and most importantly brand identity and credibility, each of which can directly translate into financial damage.
Don’t think of the regulations as the destination of the journey or the end game, but instead treat them as merely a foundation to build on or as a stop on the journey that can improve it as a whole.
You might also be interested in:
Comparing Sysmon and EclecticIQ Endpoint Response – Event Filters
Hunting Emotet Made Easy with EclecticIQ Endpoint Response
Investigating NATO-Themed Phishing Lures With EclecticIQ Intelligence Center and Endpoint Response Tool
*** This is a Security Bloggers Network syndicated blog from EclecticIQ Blog authored by EclecticIQ Endpoint Security Team. Read the original post at: https://blog.eclecticiq.com/compliance-does-not-equal-cybersecurity