The Dangers of Over-Reliance on Compliance

Consultants Charles Cresson Wood and Kevin Beaver offer a more holistic look at information security requirements

Have you noticed that many of the firms suffering high profile, serious, and expensive information security breaches have nonetheless been 'compliant' with certain laws, regulations, or standards? Consider the case of credit card processor Heartland Payment Systems, which recently suffered the unauthorized disclosure of over 100 million credit card and debit card transactions. The firm handles the transactions of over 175,000 merchants. Hundreds of banks have already had to reissue cards as a result of the breach. Note that Heartland was, at the time, certified as fully Payment Card Industry (PCI) compliant. Many other organizations that fall under various Federal, state, and industry regulations are continually experiencing breaches as well. According to The Chronology of Data Breaches (, millions of records have been compromised thus far in 2009.

Management at far too many organizations has been placing too much emphasis on compliance. Adequate information security cannot be achieved by simply being in compliance with all relevant laws, regulations, and standards. As much as management might like the definitive statement that this compliance provides (and certainly there are marketing benefits of such compliance), all these compliance efforts still say nothing about whether management has taken the time to do the necessary risk management. These compliance efforts still say nothing about whether management has struck the right balance between competing security-related objectives and struck this balance in a manner that is specific to the environment in question.

A common problem we see is the inability of information security and compliance managers to focus on what's important when it comes to compliance. Certain people focus solely on security operations, at the same time overlooking important technical issues. Others believe that running security scans on a periodic basis is enough. Some believe that running down a checklist of compliance requirements is all that's needed. Sorry, but it's not that simple. We've even seen situations where the people in charge weren't aware of what they needed to comply with, such as state breach notification laws. Wise managers know what they're up against and have the ability to determine what's appropriate in the context of the business rather than treat everything as black or white—right or wrong.

The Shifting Landscape

Part of the problem here is that these laws, regulations, and standards are static. In contrast, information security is dynamic, in fact very rapidly changing. Managers who believe that they are going to establish a secure environment by simply doing the minimum, simply becoming compliant with the requirements specified in laws, regulations, and standards (and hopefully legal agreements as well), will be woefully disappointed. A formal risk management process is instead required. Managers need to look at the unique circumstances of their computing environment—things like the level of user awareness about information security, the type of information systems technology deployed, the type of products and services offered. The nature of the controls needed will then be a function of these situation-specific factors. All of this work of course needs to be performed after a risk assessment is completed, an exercise that needs to take place at least every year. Information systems evolve and change too quickly to warrant anything less.

Another part of the problem is human nature. People want shortcuts—a direct result of the innate human need for instant gratification. Furthermore, people don't want to have to pay any more money than they have to, people don't want to have to think deeply or exert more effort when they are already overwhelmed with other matters. The problem is also a function of societal expectations. Wall Street focuses on short-term results, and rewards managers who cut costs today, even though these same managers may be risking the organization's bankruptcy in the longer term future.

Likewise, the legal system has not yet established the proper incentive systems. Often those in a position to do something about security problems are not legally liable for losses. For example, the operating system vendors are not being held liable for the many damages done by malware, such as Trojans, even though we have had the technology to eliminate malware entirely for many years (and it was in fact incorporated into many mainframe systems). The focus in the information security field has recently, as a result of these psychological and societal factors, been short-term and unduly narrow in scope.

Part of the blame can also be rightfully placed on the shoulders of product vendors in the information security marketplace. Many have oversold their products, leading management to believe that user organizations can simply buy their products and install them, and presto, you've got markedly improved information security. For example, Kevin recently attended a vendor sales presentation that would lead many to believe that all they needed for compliance and security was this one product. As convincing as the sales pitches and marketing fluff may be, the reality is that compliance does not come in a box. The reality is that organizational infrastructure must be built around the products in order to have them work properly. Here we are talking about policies, procedures, contingency plans, operator training, etc. It is in the context of a risk management perspective that the true contribution of products can be seen clearly. Because risk management processes are iterative, where they keep going back over what works and what doesn't, where they keep improving on the work that has already been done, that is the reason why they can clearly show what products can and cannot do.

What's a CISO to Do?

The role of the Chief Information Security Officer (CISO) should in part be that of technical advisor to top management, so that top management will then strike the right balance between a variety of competing objectives such as cost, ease of use, response time, security, availability, and recoverability. There is ample evidence that CISOs are not striking this balance well these days. This can partially be attributed to people without a solid technical foundation being placed in this management role. The Heartland case is only one of the more prominent examples. Other fields suffer from the same lack of balance. For example, in physical security, much attention has recently been paid to anthrax and avian flu. At the same time, big, real and pressing threats, such as the depletion of global petroleum supplies, are being largely ignored.

The first step in the direction of a more balanced and reality-centric approach to information security involves facing the problems directly. We must separate the truth from emotional reactions. For example, it is a waste of resources for all Americans to take their shoes off as they go through the scanning machine at airports. Those making the decision to impose this additional cost on all people were evidently driven by political appearances, tribal responses to terrorist threats, ungrounded emotional reactions, or something else other than the facts. No terrorist has ever used a shoe bomb to bring down a plane. Someone tried, yes, that is true. But our tax dollars would be much better used to employ psychological analysis of travelers, as the Israeli police service has already clearly shown.

Compliance has been popular, in part because it is simple and it is actionable. It often involves a checklist of items that practically anyone can go through to see where they stand. Management can say to the CISO: "Make sure we are PCI compliant," and the message is clear. It is much more difficult for top management to say, "I want to have evidence that you have a functional risk management process, and that it's working as it should be." The latter takes some work and thought, although the benefits are well worth the effort. In support of this view, a risk management process is now integrated into the ISO/IEC 27000 series of information security standards. There's no need to re-create the wheel. The ISO standards—among others—can be used as a basis for everything you likely need to effectively manage information security.

Granted, it is good that we certain new laws, regulations, and standards. Many organizations would have done nothing serious about information security if it were not for the penalties and visibility associated with these requirements. But an adequate level of information security is not going to be achieved via these compliance efforts alone. In many cases such basic compliance efforts only serve to create a false sense of security. Most, if not all, information security laws, regulations, and standards will ultimately mandate a formal risk management process. The fact that many of them do not do that right now is a reflection that the field is still relatively immature. Organizations wishing to up-level their own information security efforts, wishing to do what they will soon be required to do, will take the initiative today to incorporate a risk management process into their approach. It will not only help minimize business risks now, but also create a foundation that will serve to minimize time, money, and effort on information security initiatives long term. ##

Charles Cresson Wood, CISA, CISM, CISSP, is an independent information security consultant based in Mendocino, California. He is the author of a number of information security books including Information Security Policies Made Easy

. He can be reached at

Kevin Beaver, CISSP, is an independent information security consultant, speaker, and expert witness based in Atlanta, Georgia. He has authored/co-authored seven information security books including Hacking for Dummies. He can be reached at

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)