Mind the Cybersecurity Gap: Why Compliance Isn't Enough

Compliance is a necessity so long as organizations want to avoid paying non-compliance fees. By contrast, security is optional—at least to the extent that they won’t face any direct penalties for not securing their systems. That’s not to say a lack of security won’t cost them anything. Without security, organizations leave themselves exposed to a breach or a hack, security incidents which can damage their reputations, rack up legal fees from angry customers, as well as tie up IT and security personnel with time-consuming cleanups.

Organizations must create a partnership between compliance and security if they want to protect their systems and data. An either/or situation won’t work. Today’s technology solutions and digital threat landscape demand that organizations realize both using a robust security strategy.

In the words of Gartner, compliance is “the process of adhering to policies and decisions.” Organizations can create those policies using internal resources such as directives and procedures or by drawing from external laws and regulations. As such, compliance doesn’t stay the same. Designating bodies update their standards periodically; organizations’ hardening solutions and policies change. Compliance is simply a state at a given point in time.

Meanwhile, Gartner views security as “the combination of people, policies, processes, and technologies employed by an enterprise to protect its cyber and physical assets.” Business leaders define optimal levels of security for their organizations. It’s then up to technical teams to implement controls in support of those requirements. “Security has at its core the themes of Confidentiality, Integrity, and Availability,” (known as the CIA Triad) Stuart Coulson, a manager of business engagement, points out. “The implementation of security comes down to a technical team within the organization who puts in place appropriate controls to mitigate risks if one or more of those themes becomes compromised. The key word is ‘appropriate’.”

Compliance and security are not the same thing. The latter is rooted in the dynamic world of technology. This implies a continuous process of evaluating risks.

“Security is about dealing with alerts consistently and as they show up, making sure that any risks opened up with business-as-usual activities are dealt with immediately rather than only being discovered during an annual scan,” noted Dean Ferrando, EMEA systems engineering manager. In contrast, compliance lives in words of rules. And it takes a while to develop those guidelines or specifications.

Angus Macrae, a head of cybersecurity, agrees with this assessment. “Compliance is much more of a rigid, disciplined, point-in-time exercise that by its nature requires some longevity to make it worthwhile,” he clarified. “It takes time, effort, and money for determining bodies to create, consult, and agree upon standards, publish accompanying guidance, and implement all the necessary accreditation processes to go with them. It likewise takes time, effort, and money for applicant organizations to become accredited with those standards, and they want to know that all that cost and effort won’t simply be null and void a few months later.”

Standards change, and new ones are emerging all the time. By the time an organization achieves compliance with a specific version of a set of standards, they might need to start again to comply with any changes that took effect in the meantime. Acknowledging this possibility, organizations could end up losing themselves in the accreditation process. At best, they might always be one step behind in their compliance journeys. At worst, they might develop a skewed picture of the digital risks confronting the business, leaving them exposed to attack.

“Being compliant limits your approach to security to the narrow confines of the standard you are using,” noted Gary Hibberd, The Professor of Communicating Cyber at The Cyberfort Group. “Like looking through ‘rose-tinted-glasses,’ everything will appear okay because that is the lens you are using. But in fact, your approach could be one-dimensional and miss important aspects of cybersecurity. The result is that you may be compliant but not necessarily secure.”

Budgets

Organizations can run into issues when they don’t balance budgets for compliance and security. While a large majority of compliance projects receive budget, security remains an afterthought. By contrast, compliance tends to get more of a share of budget even though failing to be compliant would result in a much smaller fine than the loss of revenue and/or reputation given a breach.

There’s an interesting dichotomy with compliance. On the one hand, it is oftentimes too general in that it forces organizations with varying ways of doing business to adopt standards that fit the lowest common denominator of situations. On the other hand, it’s too specific in that it only applies to certain environments, certain assets, and/or certain types of data. It’s this specificity that prevents organizations from using different compliance obligations to achieve security, thus making budgeting even more of a challenge. 

“Some compliance standards do not integrate with each other either, so it’s possible to be fully compliant with one standard (e.g., Cyber Essentials) but still be way off other regulations and standards (ISO2700x),” Stuart Coulson stated. “Equally likely is that you can try to cover multiple compliance requirements, only to find you’ve duplicated your efforts and unnecessarily drawn down on your internal resources to provide evidence. So, my first point is that compliance is not coordinated. It’s so hard to ensure you are fully compliant.”

Audits

Just as compliance frameworks can fail to account for different business models, so too can auditors overlook what’s important to certain organizations.

“I have a long debate with auditors about ‘enforcement of a clear desk,’” Christian Toon, a CISO, cites as an example. “Paper is far from dead in many organizations. Even with significant technical, administrative, and physical controls, it’s just not on our agenda to ‘clear a desk,’ and that’s been sufficiently documented with the appropriate business and client approvals. Yet there are still auditors chasing full compliance to this.”

That’s assuming organizations understand what they need to do to pass an audit in the first place, as it’s not always clear whether standards are mandatory or advised. Some frameworks include sentences that use “must” and “shall” to emphasize the need for organizations to implement certain controls. Others lack that verbiage and read more like helpful security governance documents filled with recommendations, while others still explicitly refer to only some measures as real and enforced. The latter are the most misleading, as they force organizations into a position where they need to interpret which measures are required and which are optional. Subsequently, organizations might waste time and money on working towards a perceived state of compliance that doesn’t actually cohere with the intent of a specified framework.

Risk Management

Organizations are concerned with the following question: “How much risk is tolerable?” The issue is that compliance doesn’t necessarily involve robust risk management. Here’s Sarah Clarke, a security governance, risk, and compliance specialist, with more on this challenge.

“Compliance efforts are too often aimed at just securing cyber insurance or dealing with regulated industry customers instead of understanding risk,” she said. “The disconnect between the compliance line and a robust threat and risk assessment can result in significant levels of misinformed spending. Not only that, but continuing immaturity in risk management also affects most businesses. (It is still incredibly tough to draw a useful line between an implemented measure and a movement in the assessed risk position.) In short, compliance is transient comfort, while robust risk management is persistent (but better informed) discomfort.”

Of course, risk management doesn’t extend just to one’s own systems. In the age of incidents like SolarWinds and ProxyLogon, organizations also need to concern themselves with evaluating third-party vendors for risks. Many compliance frameworks don’t require this function, however. Such an oversight creates a false sense of protection— even in situations where organizations have implemented all the required controls.

Checkbox Compliance

Many organizations practice what’s known as “checkbox compliance.” This is where they implement what’s necessary in a compliance framework not because they see any value in it but because they are mandated to do so in order to trade with other organizations. They tick off the required policies and use those compliance efforts to claim that they’re secure and protected against a variety of threats.

This is problematic for a few reasons. First, no compliance framework is comprehensive—or an accurate representation of what organizations are deploying across their entire networks, for that matter. That’s because technology and the digital threat landscape are always changing. “Due to the changes in technology, one limitation of compliance is that it does not align or lags behind the latest trends in cybersecurity,” agreed Caryll Arcales, a global security specialist.

Second, checkbox compliance sends a specific kind of message. Organizations essentially tell regulators that they understand the importance of security but are just unwilling to prioritize it. So, they’ll just do certain measures and nothing else. This limits organizations’ ability to explain what they’ve implemented and why to regulators and/or customers in the event of a breach.

First and foremost, organizations need to recognize the limits of compliance. They need to see compliance standards as lowest common denominators—helpful but not comprehensive.

“Compliance tries to help in considering areas that could be of concern,” Dean Ferrando concedes. “This is OK for the generic organization, but what about bespoke devices, multi geo connectivity restrictions, translation tools, and other areas that are specific to an organization that the compliance framework does not consider? It just doesn’t account for all possible use cases.”

With this understanding, organizations can get more strategic with their compliance efforts. Stuart Coulson put it a different way. “Don’t do compliance for compliance’s sake,” he warned. “Instead, ensure you work to meaningful outcomes and seek improvements. Compliance comes with a cost, so make sure you emphasize return on investment.”

When done in this way, compliance can add value to the business. The same is true of security. This presents organizations with an opportunity with which they can pursue both compliance and security at the same time, not either/or.

“Whilst there are certainly gaps and differences in thinking, this doesn’t make the two things incompatible,” noted Angus Macrae. “It just means that at times, you must view security and compliance as slightly different journeys to a similar destination. Compliance is a good way of otherwise disparate parties demonstrating to each other that they have the commitment to meet certain non-negotiables with a similar if not equivalent level of rigor. This can then form the first pillars of credible trust.”

Organizations can create those pillars of credible trust by using the CIS Controls to drive both their compliance and security efforts.

The CIS Controls are unique in that they map into a number of different compliance frameworks and simultaneously act as security guidelines. Hence, organizations can use those standards to perform double duty. The CIS Controls represent just one way by which organizations can approach compliance within the bounds of a robust internal security program.

“A thorough business impact analysis and risk assessment with your security team and senior teams should identify your threat landscape and go some way to identify your control requirements,” explained Christian Toon. “In doing so, you create your own control framework. This is what makes the difference. It’s relevant to the organization, so this is what your teams get behind. Your narrative changes from ‘We need to do this for the standards or legal requirements’ to ‘We’re doing this for us because this is what we expect and who we are.’ This creates a more visceral response, a sense of purpose that all people will buy into.” That buy-in won’t be forthcoming unless security teams lay the groundwork. In those situations, the security basics can be particularly useful.

For Sarah Clarke, there’s no fundamental control more useful than creating an asset inventory. “My first focus is to descope low-risk assets and systems,” she pointed out. “A defensible and documented process to do that is your top priority. Intelligence then allows planning and budget estimation for subsequent efforts.”

Buy-in will be minimal if no one’s communicating, as well. That’s why organizations need to bring compliance and security teams together. “Teams need to collaborate with each other to align cybersecurity with compliance,” urged Caryll Arcales. “This should be supported by management. Good management can contribute by ensuring that there’s efficient communication between the two domains (or teams).” They can lend an additional hand by creating processes that bake collaboration between security and compliance into the business.

Gary Hibberd recommends developing a Governance, Risk, and Compliance (GRC) framework towards this end. “A GRC framework works best when it brings together multiple people from across the organization to focus on security together,” he explained. “This cross-functional team will bring diverse knowledge, skills, and experience of compliance risks and issues related to their particular discipline together for consideration. The fresh perspective to security that this provides will ensure any gaps are quickly identified.”

Compliance and security are not the same thing. But as noted above, they are not mutually exclusive. Organizations can use robust security controls to fulfill their compliance objectives. They can do this on their own, but they might run into challenges along the way.

Here are some additional recommendations that they can use to help them going forward:

• Put security and compliance on the Board’s agenda to ensure that budget forecasts are predictable rather than having to find emergency budgets as a result of a breach or failing an audit. 
• Decide what your core infrastructure is and devise a plan to ensure that those assets are covered as an absolute minimum. Talk to other members of your supply chain to ensure that they are taking cyber security seriously so as to reduce your risk.
• Map out each of the compliance standards that your organization must adhere to and check for overlap so that several policies can be addressed at the same time. (This is where the CIS Controls can help.)
• Keep abreast of changes to compliance standards and ensure you have budget, resources, technology, and processes in place to adopt changes quickly.
• Ensure that there is a clear communications policy in place to ensure that the compliance and security teams within your organization are aligned and that there is also an escalation process in place to discuss potential risks with the C-suite.

They don’t have to do this all on their own, however. They can enlist the help of a vendor like Tripwire. Tripwire’s solutions use file integrity monitoring (FIM), vulnerability management (VM), security configuration management (SCM), log management (LM), and other best practices to help organizations keep their systems safe both on-premises and in the cloud. Simultaneously, they can help to automate customers’ compliance efforts with GDPR, SOX, PCI DSS, and many other frameworks.