One of the hottest topics at the recent SecureWorld conference in Boston could be summarized as “compliance isn’t synonymous with security.”

At the conference, Click Security’s Dave McCulley observed that compliance usually leads to security that’s “merely good enough” – unable to address new threats that arise almost every week. By the time a security regulation is set in stone, the technology to outmaneuver it has made quantum leaps.

Regulatory compliance is like looking in a rear-view mirror for threats that are looming in front of you.

In fact, the Heritage Foundation argues that strict new cyber security regulations would be fruitless because they would quickly become obsolete – and would let the bad guys know exactly where to probe.

Let’s use the example of the “take your shoes off” requirement for airport security following the foiled Shoe Bomber plot in 2001. You can be 100% compliant with this regulation and still be vulnerable to the next threat, like a neck-tie bomb.

Clearwater_compliance_isnt_security

Regulatory scrutiny didn’t help prevent the recent Premera Blue Cross data breach. In fact, an OIG audit in late 2014 found the organization to be “generally compliant.”

It’s also important to remember that compliance can be fleeting. For example, a recent Verizon report on Payment Card Industry (PCI) data security revealed that less than a third of the companies deemed to be fully compliant in 2014 could say the same thing one year later.

It’s important to continuously improve processes and procedures.

This is not to say that regulatory compliance is totally irrelevant. It’s important to continuously improve processes and procedures.

Some observers feel that the recent Anthem breach could have been prevented if the company had paid closer organizational attention to “abnormal behavior” (which in Anthem’s case was the suspicious activity of what appeared to be a system administrator). It’s looking increasingly likely that the Anthem hackers weren’t on a stealth mission. The company simply didn’t have the processes in place to monitor abnormal behavior in database traffic.

In a post-Anthem world, regulatory compliance is still important. But it needs to be augmented by constant information-sharing between the public and private sectors. Otherwise, we’ll continue to see companies achieve compliance while remaining very vulnerable to security threats.

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.