If information security is your objective, compliance should not be your north star. However, data show that for most organizations compliance is the driver of information security investment. That means compliance is also the objective and information security is not necessarily the intended outcome.
Data from the 2016 Vormetric Data Threat Report show that although 91% of survey participants were concerned about the security of their data and 61% had experienced a data breach, only 21% “cited a past data breach as a reason for securing sensitive data.” You would think that proof of compromise would become a catalyst for improving an organization’s information security posture. Apparently not for two-thirds of breach victims. By contrast, 64% “viewed compliance requirements as either ‘very effective’ or ‘extremely effective’ in preventing data breaches, up from 58% last year.” That sentiment no doubt helped compliance rank as the second most important reason for securing sensitive data and the top driver of IT security spending.
CIO Magazine comments on the survey findings included this observation: “Even as an overwhelming majority of large global enterprises feel vulnerable to data breaches and other security threats, too many organizations continue to approach cybersecurity as a compliance exercise…” Compliance may make you more secure, but you can still meet the objective compliance and still be subject to harm as many enterprises learned in 2015.
Too Much Optimism
As we mentioned previously, security professionals may be too optimistic about their security posture and that extends to their strategies. It is hard to believe this could be true given the continual onslaught of high profile breaches showcased in the media and PwC’s confirmation that information security incidents rose 38% over the past year. This is not theoretical exercise. The 2016 CyberThreat Defense Report found that 76% of companies had experienced a breach in the past year, but only 52% expected to face one during 2015. That means at least 24% of breached companies were surprised by the incident.
Despite this data, only 62% expect a breach in 2016 which suggests that at least 14% that were breached in 2015 don’t expect a repeat. Is that a reasonable expectation in our current cybersecurity climate? If 64% of companies are correct in believing cybersecurity compliance programs are “very” or “extremely” effective shouldn’t we expect breaches to impact well under half of companies? Where is all of that optimism coming from?
The Problem with Compliance
A recent article in C4ISR reported on the shortcomings of compliance saying that, “‘Compliance does not always equate to strong cybersecurity. Compliance is often based on requirements that are outdated or have little relevance to zero-day attacks and other modern-day adversary tactics,’ said Judson Walker, systems engineering director for Brocade.” Another comment from the article stated, “IT experts say striving to meet mandated cybersecurity benchmarks often wastes scarce funds and could get in the way of the intended security goals.”
In order for a practice to become embedded in a compliance program it must be known and well understood. This may work in a static or slowly evolving information security environment. Yesterday’s learnings help to ward off cyber attacks from known exploits and vectors. Closing CVEs and following cybersecurity frameworks can help a company in this regard. However, we know that information security is a quickly evolving environment with newly identified CVEs rising more than 55% over the past five years. The strategies and methods that will protect you from new attacks can’t be in compliance protocols yet because they haven’t been identified.
The Vormetric report concluded, “But one of the limitations of compliance mandates is that they can’t possibly adapt fast enough to the constantly changing threat environment or be specific enough to provide detailed guidance on what is needed.”
From False Hope to Capability
Compliance has a role and for many companies it is a regulatory reality. The SEC signaled its intent earlier this year to expand cybersecurity compliance requirements for financial firms in 2016. However, the data suggest that compliance is a small part of a robust information security defense. It cannot help you address the unknown unknowns and hidden breaches that characterize today’s information security environment.
Enterprises need to look beyond compliance. That may include enhanced perimeter defenses but also requires more capabilities that help identify and contain threat actors that successfully bypass the perimeter. New capabilities for breach detection, threat intelligence and data protection can help companies address today’s risks. These are the tools that could have helped Target, Anthem and OPM even when their perimeter defense and compliance efforts failed.
So the answer is yes. Compliance-driven investment can hinder information security if it crowds out spending or displaces attention from building capabilities designed to effectively confront the current threat landscape. To learn more about how information security analytics can help companies mature beyond compliance, click the button below to request a demo or download a white paper on transitioning to more robust detection and containment capabilities.
By Scott Raspa