The False Security of Compliance

With the primary focus of an organization being “the bottom line”, it’s easy to see why compliance is at the forefront and more businesses, especially multinational corporations, are making it a priority. In heavily regulated verticals like healthcare and banking, being non-compliant is costly. For organizations that provide goods or services, being compliant can impact whether or not an entire market area is available or change the outcome of a sale. Even though compliance is essential in many cases, having “blind faith” in compliance is bad news for organizations.

Let’s look at compliance from the perspective of a new motorcyclist. In order to attain a motorcycle license in the state of Ohio (USA), riders take a written test to demonstrate knowledge of the law and a driving test to demonstrate ability to safely operate the motorcycle. Once both tests are passed, a license is issued and they can operate the motorcycle within the boundaries of the law. If at any point the law is violated, the riders risk fines or license revocation. At predefined intervals of time after licensure, the license must be renewed to continue operation of the motorcycle.

Sound familiar?

Compliance, in technology, refers to the need for an organization to have controls for processes in place for things like how data is stored or retrieved. Gaining compliance works in a similar fashion as licensure. A regulation is studied, written documentation and a demo are created to prove adherence to the regulation, product is assessed to determine if it is certifiable and is issued a certification, and, once certified, the certification must be renewed at predefined intervals. While certified, if the product fails to meet the regulations the organization faces fines or loss of certification. Of course compliance has its place in our organizations and in some verticals is mandatory. Just as a motorcyclist should not be able to drive without laws for proper use, regulations should be in place to govern how businesses receive, access, share, or store personal data. However, complying with regulations is not enough. After all, having a license to operate a motorcycle does not make you a safe motorcyclist.

So what about security?

A compliant organization must be secure, right? No; in fact, compliant organizations may still face breaches and costs related to non-compliance. Solution: shift the focus to security. In technology, security refers to the protection of data focusing on three elements known as CIA: Confidentiality (C) which prevents unauthorized access to data by implementing the “Need to Know” principle; Integrity (I) which prevents modification to a record that is in storage, being processed, or in transit; Availability (A) which prevents against denial of service to authorized users. Protecting data can be accomplished in a variety of ways from strong password policies to entire network designs but each protective layer serves its purpose.

In the state of Ohio, there are no laws that regulate what a motorcyclist wears; even helmets are not mandatory. It could be inferred that as long as the riders follow all of the laws, they will be safe; however, not all circumstances can be predicted. Even if they follow all of the laws, a risk that someone else may not still exists and without proper attire, injury will likely occur. On the other hand, if the riders wear non-required protective gear they will be more prepared for the unexpected and will lower their risk of injury. In technology, security refers to the protection of data.

Secure systems are unique to each organization. Although costly at inception, the return on investment (ROI) is greater when secure systems are in place. It is evident that being compliant does not equate to being secure.

According to research completed by the Ponemon Institute, it costs an average of $3.5 million to comply with mandated and optional standards. According to a study completed by Nelnet Business Solutions, initial costs for complying with PCI range from $50,000 to $250,000 depending on the size of the organization not including annual costs to maintain the compliance or gain the certification. From the standpoint of a ledger or numbers only, it is easy to see why organizations that are mandated to comply with specific standards choose compliance as the focus.

Implementing security can also be very costly, especially for small businesses (organizations with fewer than 100 employees). The SANS Institute estimates that implementing a basic security structure for a small business would cost approximately $15,000 for software and hardware alone. If the business is serious about security and hires an IT person to monitor the system, the cost grows to include salary and benefits. After the secured system is in place, the company still has to pay for whichever standards are required in order to operate.

If switching the focus to security is going to increase the overall initial cost, why should any organization do it? For the same reasons that a motorcyclist should wear the proper gear. Purchasing all of the protective gear upfront will be costly; however, it will greatly reduce the risk of injury and costs if an accident occurs.

●Ditch the flip-flops and buy boots.

Obsolete and New Technologies – Technology is constantly changing and for some companies and verticals it is very difficult to keep up with this technology sprint. Obsolete technologies in use increase vulnerabilities and implementing new technologies without thoroughly testing the change first can also cause vulnerabilities. In many organizations upgrading to new technologies is completed in phases creating environments where obsolete and new technologies are used in conjunction increasing risk. The race to stay current while keeping data secure can be accomplished with a strong security focus.

Ditch the shorts and buy pants that will protect you on any

Evolving Security Landscape – Standards and regulations are often too far behind the ever- changing technology and security landscape to be relevant. The security landscape is volatile; changing with each new technological advancement or newfound exploitation in small bursts of time. Although most standards have a review and update process, more often than not the deadlines are pushed back and changes come years later practically nullifying any parts related to security at conception. Shifting the focus of an organization to security safeguards the organization and decreases the likelihood that vulnerabilities will be found and exploited.

Cover that holy tee-shirt with a new jacket. 

Perform Risk Analysisor Security Audits– Only a few standards, for example HIPAA (Health Insurance Portability and Accountability Act), actually require a risk assessment to be completed before attaining compliance. The Ponemon Institute’s research shows that 28% of companies do not perform security audits. Organizations should realize that vulnerabilities exist; if they are not the ones finding them, someone else is finding the vulnerabilities and exploiting them on behalf of the organization. Performing regular security audits and risk analysis of the organization’s systems is a necessity.

●Hands are important too so buy some gloves. 

Reduce Risks of a Breach by Training Employees – Being compliant is, essentially, adding a checkmark to an item in a checklist to indicate the criterion is met. As mentioned before, having a secure infrastructure with updated technologies that undergoes regular security audits can reduce a risk of a breach. Proper training of employees is essential to reducing risk. Most standards do not require a subject matter expert or that any particular group is trained on the criterion. If an employee does not have knowledge of basic security, such as do not write down network passwords, or an organization does not have a security policy in place, the risk of a breach increases. Reduce this risk by properly training employees and creating, if one does not exist, a policy for security practices.

Protect your livelihood and buy a full-face helmet.

Prevent Costs  to the Organization- With lax security, a breach may occur. Although being compliant may reduce the organization’s accountability, it will not prevent all costs. Monetarily an organization may face fines if found to be non-compliant, costs for purchasing new technologies or making repairs, or even lawyer fees if any lawsuits arise. Other than monetary costs, the organization faces loss of customer loyalty, brand repair, and declines in new business. By focusing on security, the risks of a breach decline and organizations will likely never endure the process of recovering from a data breach.

Once properly suited, the motorcyclist can safely take to roads and enjoy the ride. Similarly, once properly secure, organizations can focus on preventative actions and reduce the likelihood of a breach; avoiding the aftermath of costs and brand damage.

Remember, when data breaches occur it is unlikely due to a lack of compliance and more likely due to lax security. It is evident that being compliant does not equate to security. Despite the initial cost, security will have a better ROI for the company. In order to not be the next organization breached and reported on the news, companies need to switch the focus from a compliance perspective to a security perspective. Just as the adage “Better safe than sorry” states, it’s better to be secure than to just be compliant.


About the Author

Rachelle Below is new to software testing but has a real passion for the craft and for learning about testing. As an avid learner she spends time reading (blogs, magazines, books, and Twitter) and conversing about testing when possible. Currently, she works as a compliance analyst and looks for ways to meld compliance, security, and testing into projects. Follow her on Twitter @achelleRay.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.