Companies that make regulatory compliance the sole driver of their information security efforts could be weakening their long-term security posture instead of improving it, according to IT managers at the 32nd annual US Computer Security Institute conference held last week. Therefore, it's better to make compliance a by-product of a broader corporate security strategy -- not its sole end objective, they said.
"Every time you try to manage risk by a checklist of [compliance] items there is a very real danger'' of overlooking other important issues, said Jack Jones, chief information security officer at Nationwide Insurance Co.. "Checklists cast the world in black-and-white terms. They are valuable. But [by themselves] they don't allow organizations to take a good, rational and logical view of all the circumstances" that affect risk.
Those warnings come at a time when regulatory compliance requirements have made information security a topic of board-level discussion. The results of an annual global survey, released earlier this month by Ernst & Young, for instance, showed that compliance issues have replaced worms and viruses for the first time as the biggest driver of information security.
At a high level, regulations offer companies a set of guidelines that, in theory, constitute good security practices, Jones said. "It's very hard to argue with concepts like 'least privilege,' and 'need-to-know' and 'defense-in-depth.' That's all in keeping with everybody's strategy of managing risk."
Even so, problems arise when meeting compliance requirements becomes a company's sole security strategy, said Fred Trickey, information security administrator at Yeshiva University. "Compliance is a measure of your security posture relative to the specific regulations you are looking at. In one sense, it is of value to the information security community because it does give external validation of the things you've been working on."
But using compliance with a specific regulation as a measure of overall security is risky and can create a false sense of security, he said. "It's very important that you don't lose sight of evolving threats, evolving risks and attack models. If you are entirely focused on regulations to the letter you will lose sight of that."
A lot depends on whether companies tend to view compliance as the ceiling of their security efforts or as a minimum set of requirements within a broader security framework , said Gerhard Eschelbeck, chief technology officer at Qualys. "It all depends on where you set the bar," he said.
A lot of the controls and processes companies are required to implement are already understood and should be in place, said Ben Rothke, senior security consultant at Thrupoint, a management services company in New York. This is especially true because there is a huge overlap in the requirements spelled out by different regulations, Rothke said.
"The problem with compliance is that people tend to take a myopic view of what needs to be done whenever new regulations come out," he said. "The point needs to be made that those organizations with a solid security framework in place could easily handle any regulations thrown at them."
The need to comply with regulations such as the Sarbanes-Oxley Act, Gramm-Leach Bliley Act and Health Insurance Portability and Accountability Act have certainly heightened the discussion around customer privacy and security, said Greg Framke, CIO at ETrade Financial. "But these are things we have been talking about and doing things about for a while," he said in an interview unrelated to the CSI show. As a result, "I see no particular challenge with compliance."