Is Compliance-Only Vaccination Enough?

Written by

Companies invest a lot to get themselves certified. Planning and preparation starts months before the dreaded auditors come cracking their knuckles and flaunting their egos. Finally, when auditors are satisfied, the certification obtained is like gold mined from an abandoned mine!

Digital security marketing then gets a new lease of life by displaying the proud achievement pompously, some new slides are added in the sales kit as the team now gets latest weaponry to win against their competitors and mandates are received from senior management to get the same again (or even more revered) displayed at their receptions.

Unfortunately, when cyber-attacks like WannaCry or NotPetya takes place, the cyber-criminals prefer not to bias their victims on basis of certifications. Rather, organizations who have adopted security measures - not just for auditor’s consent but genuinely for their businesses - will find themselves victorious.

It’s never a bad decision for any organization to start their security journey by implementing the controls mandated by security standards, guidelines and regulations, after all, these are the best practices. The question is whether acquiring and maintaining these certificates of high industry repute are sufficient for organizations to be reasonably assured that their reputation will not be stained due to some 21-year-old hacker siting in his basement in a remote part of the world.

Resources and effort spent in certifications is not always adequate to protect against cyber-attacks, organizations need to go beyond and above. Some of the key aspects which today’s organizations may want to consider beyond a compliance-only security regime: 

Rapid adoption of digital technology – The majority of security compliance standards and regulations are yet to incorporate controls due to enterprise business environment rapidly adopting and acclimatizing to digital economy. How can an organization be assured on IoT security, cloud security or mobile security just by implementing controls which are not specifically targeted to protect new-age, rapidly evolving digital technologies? 

Across the digital landscape, organizations should consider security, architecture and the design stage onwards. Cross-collaborating security engineering principles with system and product engineering can prevent any future reactive, stop gap arrangements. Threat model driven layered security measures should be adopted bud-stage onwards, considering all possible error and attack scenarios. 

Holistic security approach – Traditionally, investment in security has been an outcome of a security risk assessment or benchmarking exercise. A security risk assessment is not an exact science and every organization is unique against their peers.

Available resources get exhausted in deploying and managing such investments and in this process, some attack vectors do not receive necessary attention. For example, low-risk public-facing websites can be neglected and one single instance of defacement can discount all other efforts and customers end up losing trust. Even if a single weak link is left out of your holistic security strategy, then your organization can be another victim of an attack resulting in monetary and reputational loss.

Applicability & effectiveness of protection – Administrating vaccinations against already eradicated diseases like polio to babies in countries like USA is not applicable today. However, the vaccination can be pertinent to a baby in USA migrating to or from a foreign country. Similarly, business-driven analytics should continuously identify the changes in the business and technology landscape of the organization, and amend the control posture based on applicability to a particular situation/environment to achieve business objective, and to optimize security investment. 

Mere checklist-based periodic review and assessment of deployed control are not adequate enough to identify gaps. Instead, continuous, unbiased and independent assurance route should be adopted to ensure control relevance and effectiveness in the evolving threat landscape. Every employee and third party should be wearing a cybersecurity hat along with any other hat at all times. Role-based granular cybersecurity trainings should be conducted for all cybersecurity internal stakeholders.

Behavior based threat identification - Almost all security metrics from standards and guidelines focus on controls and vulnerabilities, rather than on incidents and preventing losses. A single incident occurring in one part of the world might be connected to another happening on the other side of it.

A behavior-based assessment for event-based metrics can become the basis of how effectively the security measures can detect monitor incidents, and prevent security breaches from occurring. Such a security strategy does not discount a threat environment and are more practical than some paper-based controls and checklist based measures to mitigate outdated vulnerabilities.

It’s easier to convince top management to approve a business case which is focused on getting a tangible outcome in the form of a demand-oriented compliance certificate, rather than discussing stochastic benefits which are focused on real security.

The cyber world is turning red from incessant attacks; this demands holistic security beyond compliance. Due to limited resources, this battle also requires planning based on security economics and for smart solutions based on ever changing risk profile.

A compliance-only vaccination can provide a single layered or fragmented protection against security breaches, but looking at the growing state of cyber-attacks, several other vaccinations and regular pills of different hues are required to reduce the probability of loss against attacks. So keep your vaccination chart updated with occasional boosters for a healthy security posture. 

What’s hot on Infosecurity Magazine?