Security and compliance: can you ever have one without the other?
Security and compliance go together like love and marriage – you can’t have one without the other. That is the common perception (we’re talking of course solely about the infosec aspects of compliance). But is it true? Are security and compliance synonymous? If you are secure, will you be compliant? If you are compliant, will you be secure? What, in short, is the relationship between the two?
Here’s my problem. The purpose of the infosec aspects of the Data Protection Act is to keep personal data secure. But how can you be compliant with this requirement? If you have the strongest security in the world, you still cannot guarantee that the data won’t be lost. If you have virtually no security, you might never lose the data. The only empirical test for conformance, or at least the lack of it, is whether you keep personal data safe. If you lose the data you are not compliant, regardless of your security. If you do not lose the data, you are compliant, regardless of your security.
This leads to an important question: if compliance is purely a legal requirement effectively disconnected from security, will it lead companies to concentrate on legal compliance to the detriment of true security? To help me understand, I spoke to a number of security experts.
Lars Davies. CEO at Kalypton and a one-time visiting fellow at the Centre for Commercial Law Studies, Queen Mary, University of London, is clear on the relationship. “The problem comes from the fact that compliance and security are not commutative,” he told me. “One does not necessarily infer the other. Compliance infers security. Security does not infer compliance… Compliance tells you what you need to achieve. Good security is simply one of a set of components that you need to achieve the goal.”
Infosec in this sense is a tool for compliance, not a required effect of compliance; although confusion comes from the need to use security (and therefore gain security) in order to achieve compliance.
“If you are compliant then you must be secure; your security must be fit for purpose,” continued Lars. “You simply cannot not end up with the lowest common denominator at all and still remain vulnerable. If you are vulnerable then you cannot, by definition, be compliant.” So, “If you are compliant you must, by definition also be secure… Compliance and security are like pregnancy, you either are or you are not.”
This gives me a problem, since I believe it is impossible to be secure.
“You define security as the ability to avoid compromise,” replies Lars. “That is one definition. However, it does not say avoid compromise absolutely. It is impossible to avoid compromise if you are the subject of a targeted attack. However, you can make such attacks extremely difficult, and you can put in monitoring processes and procedures to try to detect and thus counter those attacks. That is also part of achieving security. You must continually refresh and update your security tools based on your on-going assessment of their suitability to meet your requirements. That is what you need to do as part of your efforts to achieve compliance.”
This is the view of Edy Almer, VP Marketing and Business Development at Safend. “The reality is that to be ‘secure’ is a continuum not a discrete state. Compliance mandates acceptable risk points along that continuum. If you are compliant there is a very reasonable possibility that your risk is lower than it would otherwise be.”
David Emm, senior security researcher at Kaspersky Lab, comes to a slightly different conclusion from the same argument. “Security is a bit like housework, by which I mean it’s a process, rather than a fixed set of actions or tools implemented in an organisation. Regulations are invariably static and may not keep pace with technological developments – either positive ones or those that attackers make use of. I think there’s a parallel here with health and safety legislation. A company may be compliant for the annual inspection; but if it plays fast-and-loose with safety for the rest of the year, how ‘compliant’ is it in reality?”
Howard Sklar, senior corporate counsel at Recommind and advisor to the InfoRiskAwareness Project, takes a slightly different view. “Being ‘compliant’ doesn’t necessarily mean secure. ‘Compliance’ means ensuring that your people, process, and technology all work together to meet standards or policies. To turn compliance into security, you need to make sure that the standards you set are sufficient to keep you secure. If your policies allow for open access for everyone, including the public, then having totally insecure computers would still be compliant: you’re meeting the requirements that you set out. They’re just the wrong requirements.”
Paul Davis, Director-Europe at FireEye, has a more traditional security-centric view. “Simply put,” he says, “compliance is a necessary step towards better security; but inadequate by itself to protect against advanced malware and sophisticated cyber criminals. Compliance regulations set the minimum requirements for organisations to meet by only accounting for generally well-known cyber attack tactics and threats. We’ve all heard of the successful attacks on ‘compliant’ organisations like Epsilon marketing and even computer security companies, like RSA. Today’s advanced malware can bypass traditional and next-generation firewalls, AV, IPS, and Web gateways easily. Being “compliant” does not mean the network has been ‘secured’, but rather that it has taking the first step towards protecting customer data, intellectual property, and sensitive information. Compliance is only one of the first steps towards a secure IT infrastructure.”
Mehlam Shakir, CTO at NitroSecurity, sees the danger in treating compliance as the winning line rather than just ‘one of the first steps’. “For many businesses it is a vital necessity that they are compliant with regulations such as PCI DSS, GPG13 or CoCo; but there is a rapidly emerging trend of organisations just thinking about what needs to be achieved to reach compliance – which is undermining and negating the security measures that should be in place as a first point of call. This means that more and more businesses are finding themselves at risk because basic security measures are either not in place or up-to-date.”
“Being compliant to a standard is important to having better security; however it doesn’t always guarantee that the network is secure,” agrees Alex Teh, Commercial Director, Vigil Software. “What I mean is that quite often being compliant to a particular standard like PCI DSS relates only to the part of the network that is holding credit card information and not security in general. Quite often the role of a QSA is to limit the extent of the network that needs to be PCI compliant. This often means ruling out major parts of the network to reduce cost.”
And there’s another potential by-product. Compliance requirements could persuade companies to become ‘early adopters’ of apparently relevant new technologies. “But if the organization is one of the ‘late majority’ in the technology adoption lifecycle,” explains independent governance and risk consultant Roger Southgate, “they may be significantly less vulnerable than organizations that are early adopters of new technologies, and in effect the trail blazers in identifying what security requirements are most appropriate for their risk appetite.” Don’t be the guinea-pig has always been good business advice.
Am I any more clear about the relationship between security and compliance? No, I am not. The main issue is well described by Frank Coggrave, General Manager EMEA, Guidance Software. “Compliance is backward facing and security should be forward facing,” he explains. “Compliance is about adherence to rules that have been set in the past (by definition) that reflect the thoughts, worries and concerns that created the desire to have the rule. Although they can try to take account of future expectations they will always fail to do so, to some greater or lesser extent. If compliance was perfect why would we have a set of financial rules called Basel III – Basel I should have been enough. Security is about responding to today’s and tomorrow’s threats and concerns. It needs to be more reactive than a compliance cycle. Compliance is important to ensure you don’t leave yourself exposed to the old stuff, but it’s no security blanket – there are too many moths active out there.”
So after all of this I can come to only one conclusion. If security and compliance are like love and marriage – we need a divorce. Ensure compliance for the sake of compliance regardless of security, and seek security for the sake of security regardless of compliance. Don’t let one influence the other and you will be more successful in both.