My alter ego was invited to host a round table at a conference recently, on the topic of “Security and Compliance in IT Networks”. The conference was hosted by a network provider / integrator in town, and focused on topics such as migrating to high performance wide-area networks and the like – “carrier-class” topics. The biggest security concern, for most attendees, is the prevention of denial of service. And “compliance” doesn’t have a whole lot of applicability to carrier networks. So I had a nice blank slate, and a “roundtable” that would likely be a bunch of 10 year old questions (questions on topics that are 10 years old; not implying that they’re coming from 10 year olds).
So in typical Jovian fashion, I decided I’d take the most controversial stance I could (while remaining on topic) that Compliance had nothing to do with security – in fact, they’re almost mutually exclusive. I quoted the statistics from the latest Verizon Data Breach Investigations report, interpreting the statistics to match my agenda appropriately and prepared to engage in a pointed discussion. Here’s a quick summary of how the statistics could be viewed (or “skewed”):
- 21% of organizations subject to PCI were fully PCI compliant.
- Out of the remaining 79%, on the average, 39.75% of those were compliant with the majority of PCI requirements.
- In other words, 31.4% of the organizations subject to PCI were mostly or entirely non-compliant.
It then it goes on to say:
The [PCI] standard is authored to provide an approach towards security, built to make unauthorized access to systems and data iteratively harder through a series of control gates.
The idea here was that I would infer from this that organizations in compliance more (“comlplianter”?) would be less subject to breach – as one becomes compliant by implementing more “control gates”, you would be more secure as a result. However, the data presented in the Verizon study simply don’t uphold that premise, since from above, rougly equal numbers of compliant, semi-compliant, and non-compliant organizations were represented in the study, with only a slight lead taken by those that are completely compliant.
At least that was the premise for the conversation, coupled with a liberal sprinkling of McAfee and Symantec threat report goodness for added flavor. So how’d it go, you ask?
Crickets. Nobody wanted to talk about any of that hoo-ha, they just wanted to know how to keep their damn networks up. So the round table became a dissertation on the techniques behind DDOS with a then-and-now perspective, talking about how easy it was to how complex it’s become, citing cases from February of 2000 through the most recent Yahoo and DNSmadeeasy.com’s attack. Same conclusion as always: fix it with more bandwidth and processing power. Ho-hum.
But the real value was in preparing the presentation, because it tore me away from catching up on Snooki’s adventures in North Jersey and got me … well, thinking. Compliance and Security are in fact closely related, and each entirely benefit from the other. Now before you go thinking I’ve flipped my lid, let me explain:
To start with, the Random House Unabridged dictionary defines compliance as:
- the act of conforming, acquiescing, or yielding.
- a tendency to yield readily to others, esp. in a weak and subservient way.
- conformity; accordance: “in compliance with orders”.
- cooperation or obedience: “Compliance with the law is expected of all.”
Ok, so you can see this goes totally against every fiber of my being. Sort of like Joe Walsh’s “Ordinary Average Guy”, you know – where he sings about the guy who takes out the garbage, cleans out the garage, goes bowling, average kids and wife – all the things I rebelled against as a starry(bloodshot?)-eyed young man aspiring to be a rock star. And here I am, damnit, with a day job and a mortgage. I blame my ex-wife for all of it. But I’m digressing.
Regulatory Compliance is something that is enforced by some kind of regulatory body. The enforcement is usually in the form of civil or criminal penalties. Take PCI or HIPAA. Both have fairly significant sanctions for non-compliance. (yes, I know that enacting sanctions based on noncompliance for these involves zillions of dollars in court costs on behalf of the regulatory entity and the non-compliant entity, and that it’s challenging at best to even get a slap on the wrist administered, but just ride this out with me here).
Sanctions are applied and delivered to the highest level of governance at the organization. This tends to make the top of the organization angry, and that anger is typically directed through executive management as vague and poorly thought out, yet forecefully delivered, edicts. That cascades through the organization and gathers size and steam – the proverbial poop-rolls-downhill metaphor in action. By the time it ends up as a splattered steamy stain on your new Manolo-Blahniks, it’s death by stoning for anyone who doesn’t prostrate themselves before their immediate supervisor to honor this new proclamation and do whatever it takes (lying, falsifying records, etc) to be compliant.
Are we secure yet? Nope. We’ve just witnessed a cultural ripple – a wave that made it to shore. It’s what “actual security” can piggyback on and make it all the way through the organization. Compliance (or rather, the impact of non-compliance) can bring with it serious cultural change in an organization – it can be the catalyst for implementing the security program you’ve been pitching to the board and seeing ignored due to lack of funding for years (although the new Aeron Chairs in all the conference rooms were clearly more important). It’s something that you can totally leverage.
The moral / conclusion to this long winded story?
- Make sure you’re not responsible for compliance.
- Scrap your security pitch, and rewrite it as if you’re implementing it in response to a gigantic non-compliance fine.
- Get fined for non-compliance. I don’t know, maybe hire a hacker, sell pictures to TMZ, whatever it takes.
- Let chaos ensue.
- Save the day with your new security compliance plan, get a raise and a promotion. And one of those cool new aeron chairs.
