Regulatory Security Compliance vs. Effective IT Security Program
April 11, 2018
The big news lately seems to be all the data breaches, ransomware attacks, and security hacks that businesses around the world are suffering through. According to Ernst & Young, cybersecurity threats are evolving faster than they ever have. In part, that’s because just as software is offered as a service, so is malware. Criminals can get their hands on basic malware programs just as easily as your business can access email. From there, it’s easy to alter the code to be better or more effective.
Fighting the rise in cybercrime, the Federal Government has released numerous compliance regulations designed to protect data and systems. Dozens of pieces of security compliance regulation exist, but three of the most common are:
- Sarbanes-Oxley (SOX) – Financial compliance regulations that govern information disclosures.
- Health Insurance Portability and Accountability Act (HIPAA) – Regulations that guide the privacy, security, and protection of healthcare information.
- Federal Information Security Modernization Act (FISMA) – Regulations about the way government information and data is handled that also affects private businesses that serve the government.
Compliance Regulations Are Not Security Programs
For many businesses, compliance with industry specific regulations are the only real guidance they have for IT security. The thought is that if the company can pass a compliance audit, then security should be good enough to protect the business and its customers. Unfortunately, that is not the case.
Compliance is often viewed as a minimum level of security. When, in reality, compliance is a snapshot of your security program at a single moment in time. Here’s how it works. Regulations outline the requirements to meet compliance. Those regulations are based on past security threats. Businesses then use those regulations to guide security controls.
In some cases, the businesses will work hard to reach compliance, so that if an audit occurs, they can pass without incident. However, once that level of compliance is met, no additional efforts are put forth. This practice is flawed in two ways.
First, to be effective, security should be proactive. That means preparing for threats that are evolving from hour to hour. Compliance relies on historical data, but doesn’t build in consideration for future threats.
The second flaw is in the failure to realize that effective security is not a constant state. Rather, it is a state that changes rapidly and as such, security tools and applications that worked well yesterday might be worthless tomorrow. Without constant attention, your security program becomes stale and ineffective and the risks to your organization grow exponentially.
If Being Compliant Isn’t Enough, Then What Is?
Here’s a quick question you should ask yourself:
What’s the purpose of your security efforts?
If your purpose is to pass a compliance review or audit, then you’re not focused on security. Security isn’t compliance. Compliance is an element of security, but to create a security program that will protect you and your customers, security must be a priority. All the time.
Businesses should dig into their security capabilities at a granular level, to review every aspect from hardware and policy to implementation, maintenance, and training to see where improvements are needed to keep the company and customers safe. Efforts need to be reevaluated is this isn’t taking place on a regular basis.
You may need some help along the way with hardware upgrades, developing policy, or implementing training. It’s okay to turn to a trusted partner that can help you improve your security posture. Just be sure to choose someone that can help you focus on your overall security program and not just on reaching a state of compliance that will get you by until the next audit or review is scheduled.