As numerous data compliance laws proliferate across the globe, security professionals have become too focused on checking their requirements boxes when they should be focused on reducing risk. Can the two work harmoniously together?
The answer depends on how effectively IT security leaders can work with their auditors and speak to their boards, say experts. These are their top five recommendations:
1. Focus on data protection
It’s well-known that compliance is about protecting regulated data, while cybersecurity is focused on keeping bad guys out. From a data protection perspective, the key security measure then is to avoid processing or storing regulated data that isn’t needed. If regulated data must be stored, make sure you’re using stronger-than-recommended encryption, says James Morrison, national cybersecurity specialist for Intelisys, the infrastructure support division of payment systems company, ScanSource.
“In my career, I’ve seen small healthcare providers sending patient data in cleartext. So, to create compliant policies, ask how regulated data is handled from cradle to grave,” explains Morrison, formerly a computer scientist with the FBI. “You should be mindful of where your data exists, where it’s stored, how it’s stored, and for how long. That’s the right way to start the conversation around compliance and security.”
2. Make security auditors your friends
As important as learning the perspective of auditors is helping them understand the basics of cybersecurity. As CISO at a previous company, Morrison held weekly meetings with his auditor to maintain a “two-way” conversation inclusive of compliance and security. By the time the company conducted its ISO 27001 infosec management update, the audit team was able to articulate clearly what they needed from the security team. Then Morrison himself gathered the information the auditors requested. “Auditors are more appreciative if you take a team approach like this. And so are the CEO’s and boards of directors,” he adds.
However, teaching cybersecurity basics to auditors is difficult, adds Ian Poynter, a virtual CISO based on the U.S. east coast. This is especially problematic among auditors that come from the big consulting firms, who he likens to “people with clipboards who ask questions but don’t understand the security and risk context.” In case after case, Poynter describes past experiences in which his clients passed their “clipboard” audits while fundamentally failing at security.
For example, in one instance the auditor asked if the company had a firewall and the IT manager checked the “yes” box because they had a firewall, even though it was still in the package and hadn’t been installed yet. “The auditors didn’t understand that the firewall is not actually doing anything, although you still have a firewall,” Poynter says sardonically. “So, to audit properly, you need to know the context around the questions and how to ask the questions.”
As a consultant to smaller companies, Poynter says it’s important to engage with auditors with those relationships to security and who understand the security and compliance aspects in tandem. For example, he points to a company preparing to spend $3 million on a SOC 2 provider. Going into the SOC 2 audit with the provider, Poynter provided both sides with security and vulnerability reports that were correlated against audit requirements. This, he says, greatly narrowed down the field of focus for the audit team, adding that it was a good example of how compliance and security mesh together to further the IT leader’s business skills and Boost security posture.
3. Use compliance as a base to build better security
Poynter also cautions that audit checklists go out of date regularly, so just passing an audit does not protect IT assets. Take, for example, passwords, which NIST used to require changing every 90 days. NIST has rescinded that rule because people can’t remember their passwords, and instead recommends using passphrases with numbers and symbols that users can remember.
Avishai Avivi, CISO at security control validation company SafeBreach, agrees with Poynter. Avivi believes that compliance frameworks provide a basis for thinking about security programs, but compliance mandates are not prescriptive, nor do they rate the efficacy of controls. For example, he says, “A compliance checklist tells you that you need to have a firewall. It doesn’t tell you what type of firewall is suitable for your business, or what firewall rules to implement.”
He also points to requirements for annual penetration tests, even though threats evolve much more frequently than that. This gap leaves “compliant” companies at risk of new vulnerabilities they don’t know they have. Also open to interpretation is how to conduct the pen-test and against what computing resources, he continues.
“We had a client that was only testing its external attack surface. So, we did a simulation from an internal corporate office network and showed them that if just one of their end-user stations is compromised, it can access all their development and production networks,” Avivi explains. “The client followed the compliance guidelines in terms of segmenting development from production networks, but there were no firewall controls to prevent someone from coming in from a corporate office to those environments.”
In industrial control systems (ICS), NERC CIP and other standards are particularly bare-bones in their requirements, according to Jason D. Christopher, director of cyber risk at Dragos. “Due to the lack of OT-specific detection in industrial networks, it’s more difficult to interpret compliance rules. It’s a lot harder to have a compliance conversation because it’s hard to distinguish on a plant floor if you had a security incident that requires reporting or if it is a maintenance incident.”
ICS systems like energy and power companies are already behind because their security controls are also at the low end of the maturity curve, Christopher continues. He then describes the compliance maturity curve in three stages. Crawling is filling in the check boxes. Walking is building a program around audit findings and cross-checking findings with compensating controls. In the run stage, network operators have exceeded compliance rules with the proper workflow and chain of command to support security and audit duties. Christopher stresses that the more mature the compliance and security programs, the better the collaboration and communication between auditors, CISOs, and the board.
4. Fix the vulnerabilities you find
It’s that middle stage of maturity, the walk stage, where organizations mostly get hung up, say experts who call out many instances where organizations failed to make basic repairs based on audit findings. “We had a company that did their pen-test as required by compliance. Then, a year later, the new pen-test came back with exact same vulnerability finding because the client had not addressed the findings from the prior year’s pen-test,” Morrison says. “Ultimately, they suffered a second breach around the same vulnerability. This time, the company fell into trouble with regulatory bodies.”
Morrison’s story sounds like a famous case currently winding through the U.S. District Court of San Francisco. In it, Joe Sullivan, CISO of Uber, faces prison time under federal charges because he didn’t report a second ransomware breach that took advantage of the same vulnerability the FTC had demanded they close after a prior breach. Recently, more charges of wire fraud were added in what the FBI is now calling a cover up.
5. Measure improvements in security and risk posture
More than just a driver for reducing risk, compliance can also be used to measure improvements in security and risk posture. Morrison suggests a compliance dashboard to measure your risk score and using those dashboard policies to keep ahead of changing risks, such as adding a new tech or supporting a remote workforce. The dashboards should also help IT managers report to upper management in the business language of risk and reward that they understand.
As Avivi from SafeBreach explains, “If you do security right, you’re probably compliant. But if all you care about is compliance, you’re probably not going to be secure.”