There are two things about security and compliance that bother me. The first is security and the second is compliance; the first clearly isn’t very effective and the second is a nonsense.
The problem with both is that they are abstract ideas that have little meaning in reality. If you try to define the concept of being secure it really boils down to not being insecure. Sure, you can say that security is the maintenance of availability, confidentiality, integrity and this, that and the otherity – but it really means nothing because our knowledge of security is quantified only by its loss. We could spend £1 million per month on security and not be secure; we could spend nothing on security and be secure. The difference is solely defined by whether we are currently compromised or breached; and that, empirically, has little to do with the size of our security budget.
In some ways, compliance is a bureaucratic methodology to ensure that we at least do something. The purpose is to try to ensure that we are secure by regulation. There are two approaches: one is to say you must be secure or else; while the other says you must do this, and this and this or else. In the first instance, just like security itself, a company is compliant regardless of what it does right up until a breach proves that it is not compliant – so what is the point? In the second instance, doing this and this and this to be compliant will not make you secure, which is the purpose of compliance – so what is the point?
The danger comes when you put the two together. You have to be compliant even if it is pointless. That, frequently, is the law. Its purpose is to provide security; so all too often concentration on compliance is all that is done in the name of security. Security thus becomes a tick-box compliance effort, which won’t make us secure but will at least keep us legal. The danger in compliance is that it can lower the bar on security.
So is there no hope? Should we all just accept our insecurity; simply tick the minimum number of boxes necessary to be compliant and hope for the best? Well, no – there is hope; but it’s coming from the practitioners (CSOs) rather than the theorists (security industry) and compliance legislators (governments). What is happening is the slow realisation that security is not a thing in and of itself, but nothing more than an aspect of business risk management. It is not a thing to be acquired, but a concept to be managed.
A new report from the Wisegate community of IT executives – including CSOs – demonstrates that security theory is being replaced by risk management methodologies. Rather than a blanket desire to ‘be secure’, CSOs are starting to manage the business risk. Instead of security being a meaningless concept protected by numerous discrete and leaky band aids, it is becoming part of the continuous management of the business’ level of risk tolerance. Within this approach, compliance becomes an aspect of risk management; security becomes a process within risk management; and people become as important as products.
The report is called Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips – it’s worth a look.
Compliance – at least European regulatory compliance – bothers me. Whenever I speak to a security expert, those concerns are allayed for just so long as we talk; and then they come back again.
The problem is that Europe passes principle-based legislation (the US is more likely to pass rule-based legislation). The former tells you what must be achieved (the principle), while the latter tells you how it must be done (the rules).
The European Data Protection Directive is a perfect example of principle-based legislation. It says that personal information must be held securely; but it doesn’t tell you how it should be done.
Here’s my problem. Data that hasn’t been lost or stolen has, de facto, been held securely and the company is in compliance – even if it spends nothing on compliance. Data that has been lost or stolen has not, de jure, been held securely and the company fails compliance even if it has spent many ££millions on compliance. The existence or lack of infosecurity defences is irrelevant: if you lose that data, then you are in breach of the act; if you do not lose the data then you are not in breach of the act.
I’m not interested in claims that proof you spent money on security will make the ICO (a marketing man, mark you – not a lawyer) go easy on you. That’s just marketing dross to hide the underlying contradiction.
What I want to know is quite simple. How can it possibly be right to frame a law that states someone who tries to comply can fail compliance, while someone who ignores compliance can be compliant? The result is that there is no logical reason to spend money on securing personal data – just hope you don’t get hacked. This is aggravated by the common and growing perception that if you get targeted, you will get breached. So if you get targeted, you will have failed compliance whether you try to comply or not. Why bother?
Sometimes you just have to laugh for fear of crying. The Information commissioners Office (ICO) strategy for 2012 makes me do just that. It is a 17 page purple prose self-aggrandizing Declaration of Independence, declaring itself to be independent of political, public and media pressure. It should just simply say that ‘we will uphold the law in our role defined by the law.’
But it doesn’t do that. It seems more concerned to distance itself from the letter of the law by defining its own interpretation of the law, and to align itself with that interpretation. It has, in short, evolved an overblown idea of its function, which it attempts to define in this rather long and mis-titled public-relations document. I give just a few examples:
we will neither be exclusively an educator nor exclusively an enforcer. We are both, even though we prefer to deliver our desired outcomes through help and encouragement rather than force. This means we are primarily a facilitator…
In the time-honoured liberal tradition it has failed to understand that facilitation is delivered by enforcement, not enforcement delivered by facilitation.
We cannot address all risks to the upholding of information rights equally nor should we attempt to do so.
Yes it most certainly should attempt to address all risks to the upholding of information rights equally.
we will treat all cases that come to us fairly and properly but not necessarily pursue them with equal vigour.
This is perhaps one of the most worrying comments. The ICO is declaring that it will decide, arbitrarily, whether your complaint is worth its attention. Not the law, not the judiciary, not parliament, not you, but its own self will pre-judge a case and decide whether or not to pursue it with vigour.
we will devote particular effort to investigating, analysing and ultimately enforcing in those cases that we see as contributing most to the delivery of our desired outcomes and not just those presenting the biggest risk…
Not just those presenting the biggest risk. It really does say that it, the body responsible for enforcing the Data Protection Act, is not necessarily going to spend its effort on the biggest risk.
Laugh or cry? You decide.