What’s the Actual Role of Compliance?
Not long ago, I claimed on this blog that compliance is dead. Obviously, my point wasn’t that standards such as HIPAA and PCI DSS aren’t necessary, or that they aren’t evolving, because they are – it was that organizations have to stop looking at compliance as anything other than a way to protect themselves against fines and sanctions.
Compliance is all too often conflated with security. But recent data breaches have proved that it provides no real defense against hackers, and therefore no defense against the spiraling recovery costs and loss of business that usually follows a security incident. Sure, the likes of PCI DSS are updated every few years in response to the latest hacking threats, but the hackers themselves are coming up with new ways to compromise their targets’ systems at a much faster pace.
And yet the mindset persists, even in the sectors with the most to lose. A recent Dark Reading article by Kevin E Greene, software assurance program manager at the Department of Homeland Security Science and Technology Directorate, describes the phenomenon in detail:
“In the federal government, the first thing people want to know is: has the system been C&A’d [certification and accreditation process]? … Having led and participated on many C&A teams, I became extremely frustrated with this checklist or checkbox approach.
“Oftentimes the teams would be comprised of individuals with very limited technical knowledge and system experience conducting the compliance review. This leads to information systems passing the compliance tests, but failing majorly from a security protection perspective.”
Greene adds that this practice isn’t restricted to the federal government: so long as an organization’s IT people can provide appropriate documentation and “speak intelligently with some understanding of risk management”, they can “zip through the compliance process with flying colors”. This probably gives them the impression that they’ve done plenty to protect their data and networks from hackers, when their defenses are, in reality, sorely lacking.
Compliance Is a Starting Point, but It’s Not Security
The scenario described above makes compliance sound somewhat like a meaningless activity, or even a liability that distracts attention from the things that really matter. Obviously, though, it still has a role to play in the enterprise: most pragmatically, it offers a benchmark for organizations to measure themselves against to avoid fines or sanctions from regulatory and industry bodies.
So while, we can’t just wash our hands of HIPAA and PCI DSS compliance, they’re still very real obligations. We can, however, recognize that this box-checking, ‘just enough’ mindset isn’t actually going to guarantee security in any shape or form. Compliance can help us to understand the risks in our environments, but it’s only that: a starting point. Effectively managing those risks follows on logically from satisfying the requirements of compliance auditors, but it demands a much more rigorous, organization-specific security strategy than simply obeying the stipulations of a generic framework.
Compliance is a baseline. If you want to protect your organization against a data breach in the current climate, the smart thing to do is to go above and beyond the compliance standards.