Speaking at Security BSides San Francisco 2017 keynote Robert Wood explored the topic of the age old battle between regulation and security, discussing some of the key challenges of juggling security best practices with compliance.
In his session ‘Swimming Upstream: Regulation vs Security’ Wood pointed to three main issues that have created many of the regulation and security problems we see.
The first, he said, is the fact that there are a “zillion” different regulatory frameworks out there, which have left us “drowning in the complexity that is compliance” leaving too much for already overburdened security teams to manage.
The second is a case of “compliance as security theater”, in which it has become common for companies to put their “best foot forward” whenever they are going through an audit to portray themselves as security compliant and “clean” in a business sense. However, not only is this often not a realistic portrayal of how compliant they really are but due to budget limitations control frameworks that are in place normally fail to cover some of the more prevalent attack vectors such as social engineering.
Lastly, Wood referred to what he dubbed the “gotta catch em all” problem, whereby people have become so enamored with tracking all controls they forget about best security practices and lose sight of whether or not the controls they are implementing are actually effective.
So that’s where we are today, or at least that’s where we have been, continued Wood. So now it’s time to ask ourselves how we can change that, suggesting the following as useful strategies for doing so:
• Find the entities that can help bring about change
• Find out what’s most important to those entities – is it purely regulation or is it about the bigger picture of security?
• Start to make your efforts visible; do not operate behind an iron curtain and show people how much work there is to do and just how little compliance ends up scratching the surface
• Make compliance personal to those who it actually impacts, communicating in the same native tongue
• Implement the use of deadlines and accountable people
• Embrace automation in compliance monitoring and procedures, as the more we can use the better place we will be in
Further, Wood argued that another big part of tackling the problem is recognizing the need to reframe the risk narrative.
“We need to get away from just labelling things as high, medium and low risk,” which can be interpreted drastically different by one person to the next, he said. “I would urge you to start to think about measuring things with numbers. It’s far harder to argue with numbers than it is high, medium and low, because everyone is going to have their own interpretation.”