Security teams are already overwhelmed with keeping up with threats and protecting the network and the data that flows within it. Especially when working in a highly regulated industry such as finance, healthcare, or utilities, it can be a real challenge to keep up with all the changes in regulation.
What’s wrong with compliance?
We have quite a few members of our team who have been involved in consulting with regulatory bodies. Some of them still do. The people who make up these councils are usually the best and the brightest in the industry – and sometimes there is an ego that goes along with that. One person says something philosophical about security and causes a rabbit hole which creates a bit of a disconnect from the actual need.
Compliance isn’t security…
Let’s look at NYDFS-500 section 500.05: “The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments, and shall be done periodically.” This has rightfully raised eyebrows within the industry. Why monitoring instead of testing? These are two different domains. This particular point has three very different options to “achieve” compliance for it. You can monitor, you could pen-test, OR you could do a vulnerability assessment? There are multiple ways this could go, and they’re all incredible different. Moreover, once one regulation comes out like this, other states (or even countries) trust what they are doing, and thus copy what they did.
…but they intersect quite a bit.
Regulations like GDPR and NYDFS-500 caused quite a bit of disruption within security. For some organizations it wasn’t just a complete overhaul of policies, it was an overhaul of technology too. It makes sense why compliance and security get conflated because their intersection makes them seem similar. Depending on what size of company you’re in, you could also be running both by yourself or with a very small team, so it’s easy to intertwine them.
Going the extra mile with cyber defense
When it’s time to do your compliance laundry list, adding in a cyber defense option can help bring more security ROI. Yes, it might cost less in the short-term to get a service that satisfies the compliance requirement. That cost won’t look as good when you pass your audit and fail an actual attack.
Attackers don’t care about compliance
You can spend your entire budget on being compliant and still get attacked. It is a delicate dance between keeping up with the regulators and the actual threats that exist. Laws can take years to change, breaches can happen in seconds.
Getting offensive with compliance
We have to change the way we look at compliance. Rather than treating it as an obligatory exercise, use it as an excuse to bring extra elements of security in. We look at these regulations like perfume: You don’t drink perfume because it’s poison. You smell perfume and decide what works best for your situation. This is what we need to do with regulation. Use the regulation as a guideline and find the way to achieve both compliance and actual cyber defense. Using a vendor who specializes in the attacker’s mindset is a great tactic here. Ensure you meet all the requirements, sure. Don’t stop there. The findings you get from the assessment need to have an attacker’s perspective element as well. This makes the task that used to be eye-roll worthy actually worth the money you’re spending.
Want help with cyber defense?
HolistiCyber focuses on the nation-state grade threat to the enterprise. Would you like to speak to one of our nation-state trained experts? Reach out to us on our Contact Us page or any of our social channels!
*** This is a Security Bloggers Network syndicated blog from HolistiCyber authored by Tricia Howard. Read the original post at: https://holisticyber.com/blog/bringing-security-into-compliance/