In my first blog post three years ago entitled “We Don’t Need No Stinking Compliance,” I laid out the flaws of a information security program that focused on compliance rather than security. Moreover, I noted that the most costly part of compliance is frequently not the cost of implementing and maintaining security controls that comply with particular standard or regulation but rather its proving that compliance to regulators, auditors, customers, and anyone else that demands a C&A report, a SAS 70, or any of the dozen or so compliance reports that are taking up the valuable time of the CISO team and away from monitoring and responding to new threats.
Now comes along an article by Robbie Forkish of Cloud Compliance, Inc. arguing in “Is Compliance the New Security Standard?” that based on competitive realities and demands of shareholders compliance should be the bar as preventing security breaches is too expensive, hard to justify from an ROI perspective, and ultimately impossible. While it is certainly true that 100% security is a pipe dream, I take issue with Mr. Forkish’s contention that compliance protects a company from liability. Unfortunately he is confusing compliance to a regulation, which is a statutory obligation, with compliance with a standard of care, which is the common law standard of negligence. Anyone who has been involved with a personal injury lawsuit involving a traffic accident knows that following all traffic laws doesn’t make one immune from liability as the negligence standard, or duty, is based on what is known as the “reasonably prudent person” standard, a standard that no human being meets with any degree of consistency.
And while liability is often the motivator for implementing security measures, it is foolish to assume that meeting the letter of PCI, HIPAA, GLBA, Sarbanes-Oxley, or some other regulation or standard will absolve one from claims of liability. The sponsors of the PCI Standard for protecting credit card data proudly claim that no system found to be compliant with the PCI Digital Security Standard has ever experienced a compromise of credit card data. What they don’t say is that the investigations interpret the PCI Standard in such a way that a breached system is almost by definition considered in violation of the Standard. So far the FTC has yet to find a company investigated for experiencing a security breach that is willing to challenge the agency’s contention that there was a violation of the Unfair and Deceptive Trade Practices Act. While the FTC would likely dispute it, the conclusion seems to be that a major security breach involving customer information is automatically a violation of some law.
So is being compliant with regulations and mandatory standards necessary? Absolutely. Companies that never get breached can still be fined or worse for not implementing the required controls. However, suggesting that is enough to escape liability is silly. If you want to avoid getting sued, then don’t get hacked. Failing that, mere compliance with slow moving regulations is a good recipe for not only being sued after a breach. It is a recipe for losing. Cost benefit analysis that includes penalties, private lawsuits, and internal harms are essential when deciding on the appropriate controls, but compliance is only half the story.
1 comment:
We typically ask our clients "Do you want to comply, or are you actually interested in securing something, because those are two different approaches?"
It really causes some doubletakes to be so blunt, but it gets to the heart of the matter quickly. If they say both, then we tell ask them what they are trying to protect, and take it from there.
We have worked with some health care organizations that simply want an application we build them to be HIPAA compliant (which is fairly easy to accomplish). They then ask us if it is secure and we then ask "Secure against what?"
Without a target (or better yet, a threat model) that question cannot be answered.
Post a Comment