Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

3 Myths That Impede the Shift Towards Continuous Compliance

This is the second installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches to compliance and the challenges of shifting from a point-in-time compliance mentality to a continuous compliance one. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security documented in compliance requirements.

In the first installment of this series, I pointed out that the point-in-time compliance mentality is commonplace in the marketplace today and manifests itself in several ways:

  • The project mindset: setting up a team to demonstrate compliance at a point in time only
  • The technology-only investment mindset: acquiring prescribed technology with little thought to implementation and process
  • The reactionary mindset: “fire drills” that crop up when an urgent need arises

A security team could be entrenched in one (or more) of these mindsets without a concerted effort to break the cycle. And such a mentality perpetuates these 3 common compliance myths:

Myth #1: Demonstrating compliance at a point in time amounts to compliance throughout the year

The false sense of security resulting from passing an annual assessment, combined with the subsequent and inevitable drift out of compliance over time, sets an organization up for an increased risk of data breaches. According to Verizon, 80% of those that passed their annual PCI assessment drifted out of compliance shortly thereafter, busting this myth wide open. To that end, it is no surprise that the “continuous” concept is becoming a key component in more and more compliance frameworks. More to come on this topic in the next installment of this blog series.

Myth #2: Reactionary cycles are always productive and without opportunity cost

As many of us have experienced, reactionary cycles build on one another and fight against the key planning concept “build the plan, work the plan.” Ironically, well thought out, forward-thinking planning efforts may reduce future reactionary cycles. In such a culture of reactionary cycles, it’s easy to question “Why work a plan, or commit to work, when you know full well there are many more fire drills coming around the corner which are going to trump the plan?” To this end, employees can’t help but resign themselves to a culture of reactionary cycles with no room (or hope) for continuous improvement.

Myth #3: Processes and technology usage are the same

Perhaps this myth is really an “unconscious assumption.” Yes, technology usage could be considered a process, but, take it a step further and consider these questions:

  • How repeatable is that process?
  • Could someone else step in and execute the same process?
  • Is there a system in place that ties one process to another, such as interdepartmental handoffs?
  • Who’s monitoring these processes to ensure all gaps are closed?
  • Are there processes to manage the processes?

To ask a question we all already know the answer to: “Have there been breaches where effective, perfectly capable technologies were in place? Did process gaps play a significant role in a business-crippling data breach?” Prior to a data breach, the value provided by processes may seem intangible and hard to quantify. Only afterwards, after suffering significant losses, does the tangible value of those processes become crystal clear. Consider this:

  • Do you view processes as if they are business assets?
  • Do you think about how to increase the value of those “process assets?”

Opportunity for process maturity

There’s plenty of room to build more mature, repeatable, continuous processes

If your organization is like most, there’s plenty of room to build more mature, repeatable, continuous processes. Though security experts are knowledgeable and proficient with security concepts and tools, they may not be as well-versed in process methodologies such the Capability Maturity Model or Six Sigma. And if they are, are they too consumed by reactionary cycles to put that knowledge to good use? Businesses think about optimizing productivity of personnel and maximizing ROI of their product purchases. Should processes be viewed any differently?

Consider the following Six Sigma doctrine:

Continuous efforts to achieve stable and predictable process results (e.g., by reducing process variation) are of vital importance to business success.

Just as we need advanced network monitoring technology to continuously monitor our networks and to monitor the effectiveness of our security controls, we also need to continuously mature and improve our “process assets.” Without process maturity, closing the gap between siloed processes is hit or miss, reactionary cycles will rule the roost, and data breaches due to weak processes will continue. Without valuing and investing in process as an integral part of optimizing technology usage, the challenge of shifting from a point-in-time compliance mentality to a continuous compliance one will be great indeed.

We need to continuously mature and improve our process assets

Check back for the next installment in this series when I will take a look at how the “continuous” concept has become part of the standard of due care. If you have any compliance stories or organizational challenges you’d like to share, I’d like to hear about them. Email me at [email protected].

 

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training