[BreachExchange] Taking cybersecurity beyond a compliance-first approach

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 18:46:44 EST 2018


The cybersecurity landscape is plagued by the fact that cybercriminals seem
to be permanently one step ahead and rather than addressing the problem, it
seems that regulation is, in some cases, compounding the problem.
Understandably, many organizations are opting to define security policies
based on regulatory requirements, however the result is that their security
postures become very quickly out of date. Not only are regulations
typically at least 24 months old by the time they are implemented, but a
compliance-only approach actually provides hackers with an ‘access
blueprint’ – as weaknesses in the security model that are not covered by
regulation are clearly visible.

Disturbing trend

With high profile security breaches continuing to hit the headlines,
organizations are clearly struggling to lock down data against the
continuously evolving threat landscape. Yet these breaches are not
occurring at companies that have failed to recognize the risk to customer
data; many have occurred at organizations that are meeting regulatory
compliance requirements to protect customer data.

Given the huge investment companies in every market are making in order to
comply with the raft of regulation that has been introduced over the past
couple of decades, this continued vulnerability is – or should be – a
massive concern. Regulatory compliance is clearly no safeguard against data

Should this really be a surprise, however? With new threats emerging
weekly, the time lag inherent within the regulatory creation and
implementation process is an obvious problem. It can take over 24 months
for the regulators to understand and identify weaknesses within existing
guidelines, update and publish requirements, and then set a viable timeline
for compliance. During this time an organization with a security strategy
dictated by compliance is inherently insecure. Furthermore, these are catch
all standards that are both open to interpretation and fail to address
specific business needs or operational models – immediately creating
security weaknesses.

Hacking blueprint

Yet despite this obvious vulnerability, organizations are actually moving
towards a compliance first model, rather than away. Rather than extending
the remit of the Chief Information Security Officer (CISO), growing numbers
of organizations are recruiting Chief Compliance Officers (CCO),
effectively side-lining the data security requirements of the business.
Compliance is important, clearly, but it should be a subset of the overall
security strategy – with the CCO reporting to, not replacing, the CISO.

Following this attitude to its logical conclusion can only further
undermine an organization’s security posture: organizations looking to meet
compliance requirements may avoid penalties, but they are not secure.  In
fact, by taking a compliance-first approach, organizations are effectively
advertising their security posture to hackers. A published regulation,
while open to some interpretation, outlines requirements very clearly –
effectively presenting a hacker with a network blueprint that highlights
potential vulnerabilities.

Attaining regulatory compliance is offering organizations a false sense of
security on many levels – not only as a result of the new threat landscape
but also when we consider the ways in which emerging connected technology
is being used. The adoption of the Internet of Things (IoT) is a prime
example of regulations’ inability to keep pace.  The Health Insurance
Portability and Accountability Act (HIPPA), for example, has specific
requirements related to patient data management – but a hacker breaching an
IoT patient monitoring device may not just compromise a patient’s data but
potentially his life if that were to tamper with its settings. Would
compliance to the existing HIPPA requirements stand up in court should that
patient’s family sue for mismanagement? Put a security expert on the
witness stand and most probably not. Security teams know that prioritizing
compliance demands over effective data security is wrong – and businesses
that fail to listen will pay the price.

New mindset

The entire security model is flawed not least because most regulatory
bodies are still adhering to the ‘secure the border’ model. Breach
prevention, even breach detection, are not adequate security postures.
They assume a level of trust – that anyone or anything inside the border is
trusted until proved otherwise. But this is patently untrue, as the raft of
breaches - many of them undetected for months – reveal.

Organizations and regulators alike need to stop trying to build trust into
an infrastructure and adopt a ‘Zero Trust’ mindset. This means decoupling
security from the complexity of the IT infrastructure and addressing
specific user/ IoT device vulnerability. Instead of firewalls, network
protocols and IoT gateways, organizations should consider data assets and
applications; and then determine which user roles require access to those

Building on the existing policies for user access and identity management,
organizations can very quickly use cryptographic segmentation to ensure
only privileged users have access to privileged applications or
information. Each cryptographic domain has its own encryption key, making
it impossible for a hacker to move from one compromised domain or segment
into another – it is simply not possible to escalate user privileges to
access sensitive or critical data, meaning any breach is contained.

It is by creating a Zero Trust approach to data security first, and only
then overlaying any specific compliance requirements, that organizations
can lock down the business against threat and meet regulatory demands.


Organizations are understandably concerned about the financial penalties
associated with failing to achieve regulatory compliance. But take a step
back and consider the financial implications of data breach, of high
profile customer data compromise. That is a far more significant cost and
an event that will have long term repercussions on customer perception and

This continued, even increasing, focus on compliance over data security is
confusing.  These static regulations can never be up to date, can never
provide organizations with the robustness of security posture required to
protect data against the continually evolving threat landscape. The fact
that these regulations are open to interpretation also creates potential
weaknesses within the security architecture.

The blunt fact is that compliance driven security programmes do not
adequately address the threat landscape because the focus is on meeting
audit trail requirements rather than leveraging security innovation to
effectively fight the latest threats. The model is wrong – and businesses
are suffering as a result.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/d0db7df2/attachment.html>

More information about the BreachExchange mailing list