This is the first installment in a “Drifting Out Of Compliance” series where I take a closer look at organizational approaches to compliance, the resulting challenges that impact organizations’ ability to demonstrate point-in-time compliance, and the challenges of making the shift from a point-in-time compliance mentality to a continuous compliance one. A well thought out, risk based approach to establishing a comprehensive security program is the way to go, with compliance following as a natural result. A security first, compliance second mentality is ideal. To that effect, the authors of compliance frameworks usually clarify that their guidance is only intended as a baseline level of security. However, many organizations still struggle to attain even this baseline level of security. For those organizations, being held accountable to these compliance frameworks results in implementing greater levels of security than they would otherwise achieve.
A security first, compliance second mentality is ideal
Every year, many companies undergo a compliance assessment as called for by FISMA and PCI. In the case of NERC compliance, in addition to an auditor’s spot check, some companies are self-reporting their compliance stature. According to the Verizon 2015 PCI Report, most companies are passing annual PCI assessments. However, Verizon also reports that 80% of those companies fail compliance in subsequent assessments. In the case of self-reported NERC violations, many violations have persisted for months, even years. In the case of HIPAA, many compliance violations are personnel related—whether intentional or unintentional—and show no signs of improving. Regardless of the industry or the regulations, even if companies demonstrate point-in-time compliance, they very quickly drift back out of compliance.
Even if companies demonstrate point-in-time compliance, they very quickly drift back out of compliance
Why is this? I wanted to better understand the reasons behind this, not from a “which compliance requirements are the hardest to sustain?” perspective but rather to find out “how do businesses approach compliance?” Based on conversations with professionals in the security industry—security directors, CISOs, QSAs, and penetration testers—I offer the following findings about why companies drift out of compliance.
Reason #1: Project mindset
In the project mindset approach to compliance, companies put together a temporary project team whose goal is to prepare for a compliance assessment. Once they have successfully passed the annual assessment, the project team is disbanded.
This approach is very common. Jeff Man, a Qualified Security Assessor for 10 years, estimates that two-thirds of the companies he worked with approached PCI DSS compliance with this project mindset.
In conversations with an IT security director from a quick service restaurant, I discovered this same project-based approach. She reported significant costs associated with flying people into headquarters for three weeks every year to prepare for the annual PCI DSS assessment, pulling them away from their usual business activities. And though a vendor’s payments security product helped them reduce time and costs associated with PCI compliance, the lion’s share of their savings were associated with this three week project. Clearly, demonstrating compliance on an ongoing basis throughout the year was not part of their approach to compliance.
Rather than viewing PCI compliance as something to sustain throughout the year, most companies suspend their core business activities for several weeks to focus on passing an annual assessment. However, as the Verizon report attests, 80% of these companies drift out of compliance soon thereafter.
Reason #2 – It’s not just about technology
Many companies rely too heavily on technology to solve their compliance headaches. Yes, technology controls are a necessary part of securing sensitive data and demonstrating compliance, but simply purchasing technology without building processes around that technology will only get you so far. This approach may have worked when compliance mandates were first introduced, but as the standard of due care has risen, simply implementing technology is not enough.
For example, one company purchased millions of dollars of equipment and yet, two and a half years later, half of that same equipment remained in storage: the technology became “shelfware,” providing no security value. Other companies trust security automation so much that they take the “set it and forget it” approach: “if I set it up and let it run, then I’m being compliant.” However, without implementing processes around technology to fill gaps—between point solutions, between inter-departmental workflows—the technology will never be optimized.
Reason #3: Reactionary cycles
Some IT security professionals report that their security departments are stuck in reactionary problem fixing cycles—cleaning viruses off desktops, dealing with password lockouts, mitigating data breaches, responding to unannounced audits.
In one case, a company discovered a breach and conducted a forensic investigation, discovering that logging had not been turned on in that area of the network. Not only were they unable to find the ingress and egress points for the attack but they were never able to identify what type of data was exfiltrated. Ironically, these are the same types of reactionary cycles that take time away from continuous improvement efforts which could reduce future reactionary cycles.
Just a few examples of continuous improvements include better defining and refining processes, conducting data mapping exercises and working with the system’s owners (to know where sensitive data resides). Some continuous monitoring efforts include identifying and verifying which security controls are in place, whether they’re positioned optimally on the network, and making sure they’re operating as expected. These are just a few types of due diligence and forward thinking efforts which have the potential to pull you out of reactionary cycles and to help you work more effectively and efficiently.
You are not alone
If you are drifting out of compliance, you are not alone. All of the challenges associated with attaining and sustaining compliance highlights the need to take a broader, more unified approach to seeing what is happening within the organization, across networks and across devices. It's time to move away from a point-in-time, checkbox mentality to a more persistent, bigger picture continuous compliance mentality. This includes both continuous process improvement and continuous network monitoring. Along the way, you may find opportunities that not only introduce efficiencies but also improve morale, reduce attrition and perhaps even save time and money.
It's time to move away from a point-in-time, checkbox mentality to a more persistent, bigger picture continuous compliance mentality
In my next blog, I will take a deeper look at organizational challenges that impede the shift from a point-in-time compliance mentality to a continuous compliance mentality. If you have any compliance stories or organizational challenges you’d like to share, please email them to [email protected]. Let’s move towards a more sustainable compliancy and build a stronger security stature along the way.