After years of security teams reaching into the regulatory compliance budget bucket to find the funding they need for their security efforts, some organizations are noticing that while it won short-term capital, the practice has come back to haunt them in the long run. And while it does sound cliche to hear that compliance does not equal security, many enterprises are taking steps to make sure their focus is on building resilient IT and not merely on passing an audit.
A recent report from the IT expert professional community Wisegate, Moving From Compliance to Risk-Based Security, found that the top driver for implementing a risk management program is to meet regulatory compliance requirements. Fewer than half of respondents cited the general threat landscape or an interest in getting in front of attackers.
That troubling attitude could explain why so many organizations remain in firefighting mode—jumping from one breach or security emergency to the next without any chance of getting in front of the risk.
While it can certainly be argued, and strongly so, that security wasn't taken seriously in the days prior to regulatory mandates such as Sarbanes-Oxley, PCI DSS, and the myriad other regulations and data breach disclosure laws that followed, it's also certainly tougher to make the strong case that, long term, organizations are better off today for their efforts. Disappointingly, many organizations are doing only the minimum of what needs to be done in order to pass the next audit and to be able to show management that their IT systems are compliant.
"The entire reason why these regulations were instituted was to try to make sure that organizations are more secure, but sadly what is often happening is checklist compliance," says Candy Alexander, former CISO at Long Term Care Partners, LLC, and currently a member of the board of directors at the Information Systems Security Association.
Why is this? Because compliance is an easier sale to executives, experts, and CISOs. "If you actually look at the best business use of capital, for many executives it's debatable if spending large amounts of capital on security makes sense, just from a pure return on investment perspective," says Martin Sandren, enterprise architect, security at Blue Cross Blue Shield of Massachusetts.
There are a few companies that really "get it," explains Alexander. "They know they are compliant, but they also know that they may, or may not, also be secure."
These sentiments align with the findings in our eleventh annual Global Information Security Survey, conducted by PricewaterhouseCoopers CSO, and CIO magazine. The survey of more than 9,600 organizations found that only 17% of respondents had what would be considered a mature risk management program. Such a program would consist of an organization having an overall information security strategy, employing a CISO or equivalent who reports to executive leadership, having measured and reviewed the effectiveness of security within the past year, and understanding exactly what type of security events have occurred in the past year within the organization.
So how do organizations move away from the compliance and checklist mentality to more comprehensive risk management? "It's a big jump," says Tim McCreight, CISO for the Government of Alberta, Canada. And it's a jump that includes leaping from reacting to incidents when they occur and trying to force security controls onto the business to enabling the business to understand the risks and make the appropriate risk-based business decisions. "That requires the business to understand its risk tolerance levels," says McCreight.
Sounds simple, but it's anything but. How do security professionals get the business to not only care about IT security risks, but also understand the business consequences of accepting too much IT risk?
Sandren explains how it takes good security metrics. "We have a governing structure at Blue Cross Blue Shield that is based on a risk assessment that is completed and then signed off by the business," he says. "It's not an easy thing to do, and it's always going to be hard for an organization to accept the cost of risk, and officials often either don't want to accept any risk, or they want to just ignore the risk entirely."
Mike Rothman, analyst and president at IT security firm Securosis says that regardless of the difficulty, one of the best persuaders are data. "You are going to want to collect as much data and metrics as you can to present to the business. How you are reducing risk by responding more quickly and how investments in security are protecting business-critical assets will get their attention," he says. "Executives love charts and numbers, and the more accurate and believable the better."
McCreight agrees on the importance of winning the hearts and minds of the business as a way to move from a compliance-driven to an IT risk management-driven program. He adds that taking small steps of integrating security into business operations can go a long way as well. "Is the network security team aware of new projects as they arise? Is security brought in during the design phases of new IT initiatives? They need to be an integral part of the process," he says.
What it comes down to is that it's about a not so insignificant shift in objectives—from compliance to making systems more resilient to attack. And, just like IT security itself, there's no simple checklist on how to get there. "There's no right or wrong way to get there. Each and every organization is going to be different because all have different risk profiles; they have different risk tolerance levels," Alexander says. "The important thing is to work on getting there."