When cyber compliance is just not enough

Sol Cates, chief security officer for Vormetric, argues that while new policies and regulations are important, the answer to an organization’s cybersecurity p...

“My company is up-to-date on compliance standards,” you say. Congratulations! You can avoid government fines for at least another year.

But if you really think being compliant means your data is safe, you my friend have another thing coming.

Government regulation is a fact of life, and we all know that with the facts of life, you take the good and you take the bad. So while businesses that learn to work with government authorities can save themselves from legal headaches — in the security space, government regulation is an entirely different ballgame.

Sol Cates, chief security officer at Vormetric
Sol Cates, chief security officer at Vormetric

Compliance remains a baseline standard for protecting information and should never be confused with security. Think of compliance as a bridge. It’s the bridge that allows your company to cross the water and enter into the castle. But what’s protecting invaders from also crossing that bridge? That’s right, you need guards, a moat, the whole nine yards.

As cybersecurity risks increasingly threaten both corporate and public well-being, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external hazards. But it remains to be seen how effective guidelines are protecting agencies, citizens and their data at corporations.

Increasing regulation is not the answer. Here are a few examples of resource-heavy mandates:

  • NIST SP 800-53 and NIST 800-111 —While effective, these guidelines require many resources to measure against. Worse, placing control is left to the enterprise which leaves room for error.
  • HIPAA HITECH —This very resource-intensive mandate leaves room for interpretation. Even more challenging, the guideline references NIST. You know what that means? To understand HIPAA, you need to understand NIST.

While most regulations are well-intended, they are not always realistic from a technological standpoint. Not only do regulations create a one size fits all solution for organizations that are increasingly complex, these mandates also require a whole new level of resources.

It’s a real problem. Having a full staff dedicated to maintaining compliance standards gives organizations a false sense of security. As history has shown, being able to click the compliance check box does not mean a company is safe. Here are a few examples to prove just that:

  • Company A has a data breach and is version 1 and HIPAA compliant. While there is a lot of framework involved, HIPAA and version 1 did not stop the breach from occurring nor provide needed security. Going the extra mile creates an empowered organization to both own security and get ahead of the curve.
  • Company B just finished becoming PCI DSS (The Payment Card Industry Data Security Standard) compliant with regulation X. They were just compliant for the audit so the next day, they get back to operations and they are not compliant.
  • Company C found a vulnerability and is in a scramble to get the issue resolved. That change management did not get caught in the company’s audit.

Many organizations spend most of their time and money trying to combat cyber threats, and attacks, and feel they are always a few steps behind. It’s like spending all your time running around the kitchen trying to shoo away mice from the cheese on the table. What if you could just put the cheese in the fridge? Want to take it one step further? You can even add a lock or maybe a camera.

One of the more successful tactics is “defending yourself from yourself.” This tactic entails looking at the target (data, compute, etc.), and then wrapping controls like encryption, activity monitoring, and access controls around said target that are not governed or accessible to the privileged users that run your systems. The key is to make sure even your most privileged users are removed from the target. Why? Because that’s exactly how the attackers look to compromise the target. One can’t steal what one doesn’t have privilege too.

To establish privileged access controls, I’d recommend the following three-tiered approach:

  1. Classify: Classifying data is not a new practice, however lots of organizations try to create too many classifications, and then find it hard to educate and enforce across the organization and its partners. When classifying, start with bringing in all the stakeholders that own and the use data regularly. Create a manageable classification strategy that each stakeholder can agree to and re-enforce. There are some data types that are easy to classify, like PCI, HIPPA, which is very prescriptive. Yet make sure you also take your customer data, and intellectual property into account as well. Try to keep it simple, as 3-4 levels usually works for most organizations.
  2. Discover: Once the classification is agreed upon, you will need to discover where the data is produced, stored, and consumed. Discovery tools will help here, but tribal knowledge is worth its weight in gold. Work with the stakeholder’s team to identify the systems and users of data in a given classification.
  3. Protect: After discovering the data, you will want to begin to restrict access based on “least privilege.” If your job function doesn’t require access to it, then you shouldn’t have access to it. Often we do this easily by department, but individuals like executives, consultants, and administrators frequently have elevated access to data across the organization. This is a huge risk, because guess who are the biggest targets of a breach?

Organizations’ reputation and brand image are on the line. As if a data breach wasn’t devastating enough, let’s add civil lawsuits as well as government investigations and shareholder scorn. As we’ve seen, high profile data breaches can also force top executives to resign.

Finding and securing organizations’ sensitive information is a significant step forward toward building a cybersecurity program that reduces the need for oversight. Together, these measures will give the CISO more influence and control. At the end of the day, it’s in everyone’s best interest to rectify their security strategy, keep sensitive information private and ultimately avoid legal recourse.

Sol Cates is the chief security officer for Vormetric

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories