What’s the Actual Role of Compliance?

May 26, 2015 |
AWS Data Compliance: 4 Tips for Decreasing Audit Times

Not long ago, I claimed on this blog that compliance is dead. Obviously, my point wasn’t that standards such as HIPAA and PCI DSS aren’t necessary, or that they aren’t evolving, because they are – it was that organizations have to stop looking at compliance as anything other than a way to protect themselves against fines and sanctions.

Compliance is all too often conflated with security. But recent data breaches have proved that it provides no real defense against hackers, and therefore no defense against the spiraling recovery costs and loss of business that usually follows a security incident. Sure, the likes of PCI DSS are updated every few years in response to the latest hacking threats, but the hackers themselves are coming up with new ways to compromise their targets’ systems at a much faster pace.

And yet the mindset persists, even in the sectors with the most to lose. A recent Dark Reading article by Kevin E Greene, software assurance program manager at the Department of Homeland Security Science and Technology Directorate, describes the phenomenon in detail:

“In the federal government, the first thing people want to know is: has the system been C&A’d [certification and accreditation process]? … Having led and participated on many C&A teams, I became extremely frustrated with this checklist or checkbox approach.

“Oftentimes the teams would be comprised of individuals with very limited technical knowledge and system experience conducting the compliance review. This leads to information systems passing the compliance tests, but failing majorly from a security protection perspective.”

Greene adds that this practice isn’t restricted to the federal government: so long as an organization’s IT people can provide appropriate documentation and “speak intelligently with some understanding of risk management”, they can “zip through the compliance process with flying colors”. This probably gives them the impression that they’ve done plenty to protect their data and networks from hackers, when their defenses are, in reality, sorely lacking.

Compliance Is a Starting Point, but It’s Not Security

The scenario described above makes compliance sound somewhat like a meaningless activity, or even a liability that distracts attention from the things that really matter. Obviously, though, it still has a role to play in the enterprise: most pragmatically, it offers a benchmark for organizations to measure themselves against to avoid fines or sanctions from regulatory and industry bodies.

So while, we can’t just wash our hands of HIPAA and PCI DSS compliance, they’re still very real obligations. We can, however, recognize that this box-checking, ‘just enough’ mindset isn’t actually going to guarantee security in any shape or form. Compliance can help us to understand the risks in our environments, but it’s only that: a starting point. Effectively managing those risks follows on logically from satisfying the requirements of compliance auditors, but it demands a much more rigorous, organization-specific security strategy than simply obeying the stipulations of a generic framework.

Compliance is a baseline. If you want to protect your organization against a data breach in the current climate, the smart thing to do is to go above and beyond the compliance standards.

Looking to fulfil your compliance objectives but also do more to actually protect your organization from a data breach? Find out more about Cryptzone’s secure access and data security solutions.

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *