Thursday, July 3, 2014

Harmonizing Compliance and Security for the Enterprise - The Introduction

Pursuit of compliance in the enterprise is proving to be a staggeringly bad security investment, if you ask nearly any enterprise security professional. And yet, we continue to see companies who get breached fall back on the same press releases: "We were PCI-DSS compliant! It's not our fault we were breached!"

I ask myself why, every time it happens. I still don't have a good answer.

Sure "management just doesn't get it" sounds right but it's getting old and tired. At some point, complaining about management becomes old hat, and you have to start asking yourself if this is somehow your fault? Breaches are becoming a fact of life in the enterprise, whether you like it or not - whether your board and CEO like it or not - so it's just time to deal with it.

Compliance ~ Security

The truth is good security leads to good compliance. The converse is absolutely not true. Good compliance is just ... compliance and speaks very little about actual security. So again, why is it so many enterprise security programs base their models around compliance goals? I'll try and answer that in just a minute...

If strong security and business-relevant security drives good behaviors which naturally lead to more ready compliance - why aren't we following this path? I think there is some magic here still, which is why this isn't an openly and easily adopted technique. I think it's still difficult to produce legitimate data (ultimately everything else is black magic and voodoo) which proves that because of security measure A costing you $100,000 you filled compliance regulations B, C, and D which each would have independently cost the organization $80,000 - thus saving your enterprise $140,000.

There is much to this, of course. You have to be able to demonstrate first and foremost that security measure A actually accomplishes some goal (beyond saving you on compliance) - which requires you to be able to measure the positive impact of your security investment ...again largely black magic in any enterprise I've had personal experience with. Then you have to successfully draw linkage between security measure A and compliance regulation B, C and D - again largely black magic out there.

What I'm saying is that it's a completely do-able thing. Doing security right, by aligning it to the business and then letting compliance regulations naturally follow as side-effects. The reason we are not seeing this is that it's not something many people are good at. What we are good at is hearing "APT" and immediately thinking "Ooh, my sales rep says FireEye solves that problem, I must buy it". FUD sells. You know it. I know it. Marketing departments at every security products vendors out there know it. (I can speak from experience here...)

My Guess

The fact of the matter is, I think, that organizations feel that the risk of being non-compliant in some manner is higher than being breached. This is the only thing that makes sense to me. If I had a finite pool of capital, say, $250,000 for a round number, and I had to either meet as many compliance regulations as I could or implement security protocols in accordance with our security strategy - it might make sense to pursue the compliance stuff. What could possibly make me think this insane way? Lawyers.

People like to sue, this is America after all. If you as the corporate victim of a successful breach give even the slightest hint that you didn't do all the stuff some regulatory body set aside for you - it's like a papercut in a shark tank. You're about to be torn to pieces and devoured.

Tell me I'm wrong... law suits by individuals, class-action suits and the like are gaining ground and while they haven't broadly been successful yet it only takes one to set that crazy precedent we all fear. It takes just one company to successfully be sued for being non-PCI-DSS compliant when they experienced their massive credit-card-stealing breach for the FTC or some regulatory body to admonish them publicly. Now we have our blood in the water and lawyers start foaming at the mouth... you're toast.

Now What?

So. Now what? I hate articles which lay out problems and don't offer any meaningful crack at a solution. So here goes... I'll offer my suggestions in a convenient 5-step program. It doesn't come in a rack-mountable 2U chassis, and it doesn't have a compliance guarantee... and you may not even be comfortable with this. I don't blame you, it's not easy stepping away from the mainstream herd mentality.

  1. Draw it out - Step 1 is to take a giant whiteboard (or an equivalent) and draw out your security program goals on one side of a whiteboard. (I'm assuming you have program goals... if you don't stop now, and make some, and then have your business approve them.) On the other, draw up the compliance requirements. In the middle write down the business goals for your enterprise/organization/whatever. Now map the relationships between them... this is going to be harder than you think.
  2. Discard the junk - Now that you've got things nice and neat, look for obvious patterns. Some security initiatives will have many lines coming from them to something in the middle (the business goals). Same goals for the compliance side to business goals. The items with the highest levels of connectedness (most lines connected to them) are your highest priorities from the right and left sides. If anything has no connected lines, throw it away. Now re-order the items in order of connected importance and throw away things that appear to be insignificant. You're going to have to pick things that you think are important, but your objective data analysis is telling you otherwise. Yes this will sting a bit, potentially.
  3. Make the case - Now that you know what security measures serve the most business goals, and which of those meet the most amount of compliance regulations make a business case for this approach. I think you can handle writing up a business case based on this approach, so I'll leave you to it.
  4. Define measurements - Now that you've written your business case, and the business has overwhelmingly shown you support (well, maybe not quite that dramatically), you need to define how you're going to define and measure success. What does success look like? How does the stuff on the far left (the security measures) look when it's going well? Hint: start with operational metrics around detection and response... prevention is a fool's errand. Then demonstrate that your security measures really are creating a better climate of compliance - generally this means that there is less time wasted when the auditors announce their imminent arrival.
  5. Execute - Now that you know what security measures impact the most business goals, and turn the crank on the most compliance requirements - get it done. Execute with great care, making sure to measure as you go so you have a baseline from where you started, and then incrementally measure gains and losses because let's face it no one gets it right every time, all the time.
Now you'll hopefully have a data-backed (evidence is so compelling when it's real) strategy that's either working, or it's not. Either way you can adjust. You're doing things to improve security, and you're making compliance less of a headache.

I call that a win.

No comments: