One of the hottest topics at the recent SecureWorld conference in Boston could be summarized as “compliance isn’t synonymous with security.”
At the conference, Click Security’s Dave McCulley observed that compliance usually leads to security that’s “merely good enough” – unable to address new threats that arise almost every week. By the time a security regulation is set in stone, the technology to outmaneuver it has made quantum leaps.
Regulatory compliance is like looking in a rear-view mirror for threats that are looming in front of you.
In fact, the Heritage Foundation argues that strict new cyber security regulations would be fruitless because they would quickly become obsolete – and would let the bad guys know exactly where to probe.
Let’s use the example of the “take your shoes off” requirement for airport security following the foiled Shoe Bomber plot in 2001. You can be 100% compliant with this regulation and still be vulnerable to the next threat, like a neck-tie bomb.
Regulatory scrutiny didn’t help prevent the recent Premera Blue Cross data breach. In fact, an OIG audit in late 2014 found the organization to be “generally compliant.”
It’s also important to remember that compliance can be fleeting. For example, a recent Verizon report on Payment Card Industry (PCI) data security revealed that less than a third of the companies deemed to be fully compliant in 2014 could say the same thing one year later.
It’s important to continuously improve processes and procedures.
This is not to say that regulatory compliance is totally irrelevant. It’s important to continuously improve processes and procedures.
Some observers feel that the recent Anthem breach could have been prevented if the company had paid closer organizational attention to “abnormal behavior” (which in Anthem’s case was the suspicious activity of what appeared to be a system administrator). It’s looking increasingly likely that the Anthem hackers weren’t on a stealth mission. The company simply didn’t have the processes in place to monitor abnormal behavior in database traffic.
In a post-Anthem world, regulatory compliance is still important. But it needs to be augmented by constant information-sharing between the public and private sectors. Otherwise, we’ll continue to see companies achieve compliance while remaining very vulnerable to security threats.