Is Compliance Bad for Security?

Written by

Standards are a security bar for organizations to meet through compliance. Arguably their value is in the reassurance they provide stakeholders that a baseline of reasonable security measures is in place. But what if compliance is faked?

As has been demonstrated in high-profile attacks, being compliant with standards isn’t enough. Companies that have been certified as compliant with cyber-security standards relevant to their industries, by presumably reputable and accredited consultancies, still get hacked.

Worst of all, they were hacked in ways that the compliance standards were designed to prevent. So what value does a security standard hold if companies can achieve compliance without proper implementation of mandated measures? If you can cheat to make the mark, how can the mark be trusted?

Compliance is a money maker
The consultancy, certification and advisory industry makes a profit by selling compliance, treading a fine line between helping organizations to improve and mollifying them. It is not uncommon for organizations to fire strict consultants or put them under pressure to let things slide.

Of course it is not the case that every consultant is prepared to do this but there are too many organizations marked as compliant that aren’t. It can therefore be concluded that either the consultants who marked the company as compliant have been lied to, or the consultant has lied on the client’s behalf.

Security is a moving target

To be effective, security measures must not only be maintained, but also evaluated and adapted on an ongoing basis to keep pace with a company’s evolving environment. A company’s compliance status cannot be guaranteed at any time, apart from the day it successfully passed its last audit.

If you consider the number of changes a large organization makes on a weekly basis, an audit six months ago cannot indicate that the organization is still compliant with that standard.

This issue can be mitigated through conscientious examination and tracking of standards. The reality of compliance being a static measure of a dynamic situation highlights the risks associated with accepting compliance certificates as an indication of compliance status.

Standards can magnify and amplify security vulnerabilities

By defining the scope and nature of security measures required of firms across various industries, some standards serve to carve out and highlight opportunities for breach.

Standards themselves introduce a degree of predictability. An example would be ATM PIN codes, which in most cases are four digits long. Once commonly-used numbers and easy to remember patterns are factored in, the range of possible pins can be considerably narrowed.

We have all become programmed to default to four digit security codes and have the tendency is to limit our phone passcodes to four digits too. A study by Cambridge University suggests that eight to nine percent of PINs are guessable within three attempts and could be worked out before the card or device is locked.

Most compliance standards allow for the scope of the compliance to be limited. For example, PCI has the Card Data Environment (CDE) and ISO 27001 has the scope of compliance. Effectively you are able to delimit the area of compliance. Again this becomes about demonstrating compliance to third parties, not about securing the full environment. PCI is an excellent example of limiting the scope of security measures to a narrowly-defined area, concerned purely with securing card data.

The problem is that companies are using PCI compliance as an indication they are secure, but PCI compliance only indicates that the card data handled and stored by a company is secured. This represents a disconnect. Whilst PCI card data should be stored in a secure CDE, if a company’s less important networks can be breached, hackers can work their way into the CDE.

Narrow standards encourage blinkered security

Standards may be a good starting point for addressing security, but are seen instead as an end point. As a result, compliance with a standard cannot be taken to accurately reflect a business’ security.

Standards are designed to be achievable. They are set to the lowest common denominator and effectively, the result is weak standards. There is an argument to be had that a weak, but achievable standard is better than a more aggressive standard that companies will give up on. However, this waters down standards too far and it may be time to introduce grades in compliance

Compliance is often seen as an attempt to offer a return on security investments. Essentially, companies are getting something for the money they spend on security; whether it’s a certificate to hang on the wall or a logo for the website. The trouble is, what they are gaining is compliance with a standard, but not necessarily an improvement in the business’ security.

It could be argued investing in information security will produce better security standards, but it’s hard to demonstrate this benefit to stakeholders. Investors, other organizations and regulators want tangible value for their investment. Likewise, customers want something to look to for reassurance that doing business with a company is safe.

Compliance for compliance’s sake does not automatically improve security in a meaningful way, but it does not mean all compliance is useless. Security measures implemented to address and mitigate companies’ specific security issues and vulnerabilities do help improve security.

It is also true that compliance can be a framework to hang security off and help people understand it, but on its own compliance won’t achieve much. When compliance is the sole objective of security measures it’s an indication that actual security is not on a company’s radar. When this is the case, it’s a red flag – that even if a company becomes compliant, breaches may well lie ahead.

What’s hot on Infosecurity Magazine?