Compliance is to Security as Laws are to Morality

(Note: The following is a repost of a blog entry that appeared on earlier this summer.)

By Taher Elgamal
Chief Security Officer

July’s big security breach saw hundreds of thousands of account numbers compromised despite the fact that the host was compliant. Same thing with the Heartland breach that happened months ago. They were also compliant. And you can actually find a few dozen of these, smaller ones perhaps, where people spent millions of dollars with PCI and still had data breaches. Philosophically, where I stand on this is this: We invented compliance as a tool for businesses to be able to tell how well we are doing with our security. That’s the purpose of compliance. But somewhere down the line, compliance became the goal, not the tool. Our sole goal now is to merely be compliant with something! And, as it turns out, when you do that, you actually forget what you wanted to do in the first place—prevent leakage of account numbers, not just be compliant.

This applies in a lot of different areas, not just PCI. But I think PCI is a very good example of these issues. So people go through the PCI checklist, and there are twelve areas, and each area has several things, and they walk down one at a time and say, “Yes, I did this” and “Yes, I did that,” and they get a certificate. And, of course, two months later, half of the machines change configurations. New people came in, old people left. And you end up with a network that looks very different from the one that got certified.

But you can’t certify someone every day. The cost is already very high. There’s no way you can do anything more than the annual thing. And it turns out it’s becoming a pure cost, because people get certified and they still suffer through the breaches. But when you get one of these big breaches, you pay a lot of fines and fees, and it’s a very expensive proposition.

We need to start a conversation that says, “What we need to do is achieve a better level of security in our important networks.” And that implies that we understand what it is that we need to do, and that day-to-day management of important systems, machines and applications has to be implemented correctly. We’re not going to PCI certify every single thing all the time, but we need to basically carry the ideas from these compliance regulations in our daily activities because that’s how we manage correctly.

Honestly, that’s the only way you can achieve any level of security to survive.

Unfortunately, traditional security thinking here demands that we look at PCI and other standards as cures, silver bullets to fix things. And the entire industry is now thinking that that’s the wrong thing to do, because there’s not ever going to be a single silver bullet. It’s really about day-to-day management of things. We need to steer people away from thinking that “Maybe PCI is the wrong thing. Let’s look for the right thing.”

There is no such thing. The right thing is to go back to basics. Have the right security policies in place. Make sure you have a team and a head of security that understand the issues. Do day-to-day management. Self regulate. Have the team validate what they’re doing. Forget about the silver bullet. There will never be a technological solution that fixes the security issue. Ever.

And the security issue changes constantly because the ways hackers breach these systems actually change with time. It’s not about closing the old hole so that people can find new holes to get through. It’s how you build an ongoing scheme.

What do you think? Are the big breaches of 2009 anything less than quintessential examples of organizations trying to do the right thing but forgetting that the tool and the goal are actually completely different issues? Can’t it be said that compliance is to security as laws are to morality?

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s