Fri 21 May 2010
Why compliance is chosen over security
Posted by andyitguy under compliance, information security
[4] Comments
Kevin Beaver writes about how the business continues to choose compliance over true security even though we (the security people) know that it’s a bad idea. He makes the following comment
Those of us in infosec circles know these dangers haven’t changed but management keeps on chugging along as if it doesn’t really matter in the grand scheme of things.
Maybe it doesn’t…?
Well, I don’t think that Kevin believes that it doesn’t matter. He just seems to be at a point where he just doesn’t understand why this continues to happen.
I have a few theories that I want to share with you.
- Those who do understand still are not doing a good job translating the danger into a language that the business understands.
- We don’t understand the business enough to realize that the cost/benefit trade-off is not enough for management to buy. They would rather accept the risk, take the chance and deal with the consequences.
- There is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.
- Compliance still makes the Auditor happy and we all know that when Audit isn’t happy nobody is happy.
There are other theories and reasons for this phenomenon and I invite you to share yours in the comments. To answer the question as to whether or not it matters I think that it does. It matters because just doing enough to get by is wrong in lots of ways.
- It’s putting short term benefits over long term ones.
- It’s telling the world that our standards aren’t really that high and that we only care about what looks good.
- It’s creating issues that go way beyond us and the here and now.
- It affects lots of “innocent” people.
This is the kind of attitude that has gotten us into the mess that we are in with the economy, housing and even the BP Oil spill in the Gulf. It’s this type of attitude that has brought down companies such as Enron, Aurthur Anderson, MCI, and is going to bring down many more. I’ll stop here before I get on a soap box.
It’s actually pretty simple.
Compliance is pretty much a requirement no matter what. Either due to regulation, legal, or even to be awarded a contract. No compliance == no work or fines.
Security, at this time, is optional. It costs money to implement, has next to no ROI, and will sometimes impact the user experience.
Compliance has a built-in WIN for the enterprise. They can claim to have “passed the audit.” They can say they are now “compliant.” Can they ever really say they are completely secure? There is a finish line for compliance that “security” is not going to have.
Just as Justin said above, compliance may be necessary to keep the doors open, or at least to grow the business. Aiming for real security means spending money to prevent things that we cannot know (for certain) will ever happen either way. Unless it can be arrived at in a way that costs less than the demonstrable gain you get in revenue through being able to market the state of your security, it is always going to be a harder sell.
I agree with both posts above. A company can either spend X amount of dollars on Product\Service A and be called compliant or on Product\Service B that may make them more secure. Compliance is going to win everytime. Even though Product\Service B may actually help them more in the long run. Information Security is a preventative control that is usually an after thought to regulations requiring something for compliance.
Yours and the above comments pretty much sum it up, I think.
Another way to look at your first #2 above:
There is a line on a graph that extends between “Zero Security” and “Perfect Security.” Reality dictates that a business pick a point on that line somewhere in between.
At some point, some security geek is going to *want* his security higher than the point the business picked. That’s just the nature of how we see the world of security. It is not always that the picked point is wrong, it’s just lower.
Kinda like if I bought a motorcycle tomorrow. A moto enthusiast somewhere will shun my choice as inferior to X. Hell, if I did X, some other enthusiast would shun my choice as inferior to Y.
The same goes for the subjective side of security.
And it gets back to what I call the Big Security Gamble. You can’t have perfect security and few orgs have a chance for uber budgets to throw at security. Therefore, every security posture really is a gamble to some extent. Some play fast and loose with security, and others play conservative and careful. And that’s not even to start getting into those who are simply security-ignorant!
Even with perfect intelligence and perfect formulation of the costs and risks to the business, the business will still play the Big Security Gamble game rather than spend money to reconcile the perfect approach.
As security folks, we’ll always be ahead in the knowledge, approaches, and risk decisions. But then again, that’s what we’re paid for!
If we weren’t ahead of the curve and striving to pull the wagon forward, we’re doing something wrong or about to be left in the dust!