Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

3 Myths That Impede the Shift Towards Continuous Compliance

This is the second installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches to compliance and the challenges of shifting from a point-in-time compliance mentality to a continuous compliance one. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security documented in compliance requirements.

In the first installment of this series, I pointed out that the point-in-time compliance mentality is commonplace in the marketplace today and manifests itself in several ways:

  • The project mindset: setting up a team to demonstrate compliance at a point in time only
  • The technology-only investment mindset: acquiring prescribed technology with little thought to implementation and process
  • The reactionary mindset: “fire drills” that crop up when an urgent need arises

A security team could be entrenched in one (or more) of these mindsets without a concerted effort to break the cycle. And such a mentality perpetuates these 3 common compliance myths:

Myth #1: Demonstrating compliance at a point in time amounts to compliance throughout the year

The false sense of security resulting from passing an annual assessment, combined with the subsequent and inevitable drift out of compliance over time, sets an organization up for an increased risk of data breaches. According to Verizon, 80% of those that passed their annual PCI assessment drifted out of compliance shortly thereafter, busting this myth wide open. To that end, it is no surprise that the “continuous” concept is becoming a key component in more and more compliance frameworks. More to come on this topic in the next installment of this blog series.

Myth #2: Reactionary cycles are always productive and without opportunity cost

As many of us have experienced, reactionary cycles build on one another and fight against the key planning concept “build the plan, work the plan.” Ironically, well thought out, forward-thinking planning efforts may reduce future reactionary cycles. In such a culture of reactionary cycles, it’s easy to question “Why work a plan, or commit to work, when you know full well there are many more fire drills coming around the corner which are going to trump the plan?” To this end, employees can’t help but resign themselves to a culture of reactionary cycles with no room (or hope) for continuous improvement.

Myth #3: Processes and technology usage are the same

Perhaps this myth is really an “unconscious assumption.” Yes, technology usage could be considered a process, but, take it a step further and consider these questions:

  • How repeatable is that process?
  • Could someone else step in and execute the same process?
  • Is there a system in place that ties one process to another, such as interdepartmental handoffs?
  • Who’s monitoring these processes to ensure all gaps are closed?
  • Are there processes to manage the processes?

To ask a question we all already know the answer to: “Have there been breaches where effective, perfectly capable technologies were in place? Did process gaps play a significant role in a business-crippling data breach?” Prior to a data breach, the value provided by processes may seem intangible and hard to quantify. Only afterwards, after suffering significant losses, does the tangible value of those processes become crystal clear. Consider this:

  • Do you view processes as if they are business assets?
  • Do you think about how to increase the value of those “process assets?”

Opportunity for process maturity

There’s plenty of room to build more mature, repeatable, continuous processes

If your organization is like most, there’s plenty of room to build more mature, repeatable, continuous processes. Though security experts are knowledgeable and proficient with security concepts and tools, they may not be as well-versed in process methodologies such the Capability Maturity Model or Six Sigma. And if they are, are they too consumed by reactionary cycles to put that knowledge to good use? Businesses think about optimizing productivity of personnel and maximizing ROI of their product purchases. Should processes be viewed any differently?

Consider the following Six Sigma doctrine:

Continuous efforts to achieve stable and predictable process results (e.g., by reducing process variation) are of vital importance to business success.

Just as we need advanced network monitoring technology to continuously monitor our networks and to monitor the effectiveness of our security controls, we also need to continuously mature and improve our “process assets.” Without process maturity, closing the gap between siloed processes is hit or miss, reactionary cycles will rule the roost, and data breaches due to weak processes will continue. Without valuing and investing in process as an integral part of optimizing technology usage, the challenge of shifting from a point-in-time compliance mentality to a continuous compliance one will be great indeed.

We need to continuously mature and improve our process assets

Check back for the next installment in this series when I will take a look at how the “continuous” concept has become part of the standard of due care. If you have any compliance stories or organizational challenges you’d like to share, I’d like to hear about them. Email me at [email protected].

 

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.