The funny thing about compliance and network security

You’ve no doubt seen and heard the impact of security compliance on your business. You probably went for years, maybe decades, with minimal support for your IT and security initiatives. Traction was nowhere to be found. Then compliance showed up at the door, screamed loudly at the right people, and suddenly earned a “seat at the table”. From auditors to legal counsel to top executives and board members, everyone knows about compliance and, presumably, how important it is for a healthy business.

Well, there’s a dirty little secret about compliance that seemingly few people are currently aware of yet many end up finding out the hard way: compliance creates, facilitates, and sustains an incredibly false sense of security. Just ask any of the people who have worked on these projects. Many (most) were probably compliant up until the very time of the breach. Compliant with what? What a bureaucratic law says is best for their business and network? Perhaps it’s advice from a taxpayer-funded government standard? Maybe even an industry standards body that knows all about keeping personal information locked down…again, up until the time the breach occurred.

What I’ve described is the essence of the challenge we face: compliance means very little in terms of where things stand with network security. Sure, executives who have seen a 10 minute presentation from internal audit will proclaim everything’s good. External auditors will tell you the same thing in their “in-depth” reports. Sales and marketing are on board with the rhetoric. Everything’s good in IT…again, up until the point of a breach.

That’s the thing that gets me about compliance and security. So many people are so proud of their “compliant” status yet these very people are often disconnected from reality. Just ask any IT admin or security manager. They’ll be glad to tell you their own shortcomings and what they know isn’t right about their networks. Yet, still, everything is good in IT because that latest compliance audit says so. And those who have no real clue how things work in the field (think Undercover Boss) believe it.

It’s like going to the doctor for an imaging scan or an annual physical. Nothing is seen. Nothing shows up on the reports. The doc says all is well. Great, we’re completely healthy! That is except for all that starch we know we’re eating and exercise we know we’re not getting. Not to mention all the other bad habits we don’t discuss. Like, pre-judging people that we know absolutely nothing about, it’s the silly assumptions that end up making us look bad.

My point is, things with network security are almost always different once you learn the facts. You’ll know what the facts are once you dig in. If you’re not uncovering any technical flaws or operations weaknesses you haven’t look hard enough. Be careful what you assume and believe to be true. Most importantly, guide the decision makers down that path. They’re the ones who ultimately determine whether or not your network is secure and when that next breach is going to occur.

About the author
Kevin Beaver, CISSP is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security assessments in order to help business executives understand their information risks that matter. He has authored/co-authored 11 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow in on Twitter at @kevinbeaver and connect to him on LinkedIn at www.linkedin.com/in/kevinbeaver.