Cybersecurity has become a major concern for companies as hacking events have increasingly run rampant. Despite the constant efforts of companies to meet security standards, these events continue unabated. I’d like to suggest that companies are prioritizing the wrong things when attempting to protect their critical infrastructure from cyber crime. Given the continued increase in breach events, I believe companies become dangerously complacent with security once their compliance requirements are met. In my previous position with a major payment card brand, I investigated merchant breaches. While in this position, I studied countless merchant breach reports where the victims had met compliance requirements, yet still experienced a breach. In many cases, these victims were also ending up on the front page of major news outlets. I was left asking myself, how do these breach events continue to happen when these companies are proving they are compliant with security regulations? It soon became clear to me that simply meeting compliance requirements is insufficient. While I do think compliance is a good and even necessary part of any effective security strategy, no strategy should end with compliance. Over the years, I have learned that real security strategy starts when you begin implementing a risk based approach aligned with your business initiatives. When you start examining your security posture through the lenses of cyber risk and business alignment rather than mere compliance, you will begin to see compliance initiatives easily falling into place. In other words, compliance does not equal security, but security equals compliance.
Major Issues with Cybersecurity Compliance Enforcement
Working with different companies, I have observed that positive compliance reports lure CEOs and members of the advisory board into a false sense of security. This puts a Chief Information Security Officer (CISO) in an awkward position because these reports go up the hierarchy to CEOs, CIOs, CFOs, and board members, who flip to the last page, see the compliant stamp, and conclude they “are secure.” These reports can bolster false notions of safety, causing executives to direct resources into other company initiatives. These high level decision makers don’t intend to put their company at risk, but rather have not been adequately educated about the critical differences between compliance and security. It is the security officer’s responsibility to seek out these decision makers and educate them on how compliance reports differ from taking a risk based approach to security that aligns itself with the organization’s business initiatives.
"Compliance does not equal security, but security equals compliance"
Effective Measures to Address Security Enforcement Challenges
In many ways, doing so is as simple as going back to the basics. Identify your most important data and ensure you have the proper controls in place to protect it. Too many times IT teams get overwhelmed with endless requests for enhancements, upgrades, and quick-to-market solutions, unfortunately leading to security taking a back seat to delivering on business expectations and timelines. However, is it not a business expectation that we keep company and customer data protected? I believe we can achieve the best of both worlds by focusing on the simple things. Best security practices like network segmentation, identity and access management, patching, encryption, and two factor authentication are all things IT and Security teams should employ. But where do you start and how do you get there? I highly recommend you start with the book “Secure Enough” authored by Bryce Austin. This is a quick read that highlights table stake questions and strategies business leaders should consider when thinking about Cybersecurity and protecting their most critical assets. This book is available on Amazon and should be on every business leader’s desk.
Identifying the Right Technology Solution Provider
When contemplating the deployment of new technology, I usually refer to other security leaders who have already leveraged the technology in their organizations and appraise the technology through their evaluation. Additionally, having your technology providers prove they can deliver what they are selling is essential in ensuring your deployment will be successful should you allow them to win your business. I recommend putting two or three technology solution providers head to head against each other to see who comes out on top. To ensure these proof of concept exercises are successful, give them all clearly documented success criteria. If one of the providers does not meet your success criteria, they don’t make the cut. Keep in mind that success criteria should go beyond discovering if the solution actually works or not. Also consider if your staff can support the product, if there are hireable resources available that have experience with the product, and if the solution vendor is accessible and willing to maintain a relationship after the purchase has been made.
Advice to Others in the CISO Position
First and foremost, get involved in the CISO community. If you don’t have a CISO community in your area start one. There will be others hungry to have someone else to share expertise and experiences with. Consider that today’s CISO has every disadvantage in the world. Our adversaries have us out financed and out motivated. They are not limited by budget cuts or requests for additional full time staff. They don’t have the added stress of dealing with corporate red tape, personnel issues, or politics. Bottom line, they always have the advantage. Our only chance to be in the proper position to respond to the inevitable is if we pull together as industry leaders, check our industry related competitive egos at the door, and begin sharing our experiences and knowledge with each other. Let’s be honest, we need all the help we can get. By getting involved with your local CISO community, you will find a group of peers that struggle with the same challenges you do and are eager to help. Lastly, I recommend getting involved in the Security Advisor Alliance (SAA), a non-profit organization created by the CISO community. The SAA’s charter calls us to align our security leaders, grow the security space, and give back to our communities. These types of initiatives not only help educate the next generation of security leaders, but also move our industry forward in a positive direction. We can absolutely meet these challenges if we work together.