It’s a bit ironic that a practice that is designed to keep organizations on the straight and narrow has instead served as instead a symbol of ineffectiveness within the information security profession. But unfortunately, the very existence of compliance programs has been a sign of weakness rather than strength. As evidence piles up showing the ineffectiveness of enterprise security programs, the greater is the outcry for regulation. The sad fact is that it doesn’t have to be that way.
But first, let’s provide a little background. I teach a class called Legal and Ethical Principles in Information Security. One of the first things I tell my students is that they need to understand the difference between risk and ethics. Not every decision made about security is an ethical decision. For example, the decision to use an eight character password rather than a nine character password is a risk-based decision. While a policy may require a longer password, the decision to do so is rather arbitrary and isn’t necessarily a consensus opinion that requiring a longer password is the “right thing to do.” Instead, it’s a risk-based decision. Now here is where the twist comes in. A two-character password, if it’s used to secure someone else’s data, could be unethical. Because ethics is really about taking on unreasonable risk that affects others without their consent. Of course what’s unreasonable is open to debate, but the consensus opinion often becomes the policies, regulations, standards, and laws we all need to follow, or, in other words, compliance.
But let me be clear. I’m not saying that compliance isn’t a fact of life or even inevitable. Human beings tend to act in their own self-interest, often to the detriment of the whole. We’ll always need laws that regulate pollution, prohibit fraud, and protect consumers. However, what we’re seeing with information security goes beyond that. We’re now passing laws and regulations that are the equivalent of requiring banks to lock their money in vaults. It would be one thing if organizations were careless with other people’s data but careful with their own crown jewels. Instead, we have the Payment Card Industry (PCI) Digital Security Standard (DSS) mandating firewalls and anti-virus software because organizations fail to even implement such rudimentary controls for any part of their enterprise. Simply put, when laws are needed to get us to protect what is valuable to us, we know we’ve failed.
When business processes and technologies aren’t transparently implemented to consistently meet both regulatory and business requirements, auditors and compliance officers are needed to constantly look under the covers to note the irregularities and correct them. And can we blame them for wanting to come back when they seem to find more problems each time they look. Manufacturers have used process improvement methodologies like Six Sigma to reduce the error rate for very complicated manufacturing processes down to a few defects per million. Only in a dream world could software developers and system integrators hope to accomplish that. We can quibble about the differences between these two worlds. But by any measure, enterprise security has not done well by comparison.
Like the optimistic police officer hoping to be so successful that his job will go away, I’m hoping we can make the compliance process more efficient and useful in the hope that some day we won’t need to talk about it. Fortunately for this blog, the material is not going to run out anytime soon.
No comments:
Post a Comment