In our most recent Tweet Chat, we had Ben Rothke join us as our special guest, and the topic for discussion was compliance.
If there ever was a topic that gets security professionals riled up, I think it would be compliance. There were many questions asked and answered; you can find most of the discussion by searching for the hashtag #AlienChat on Twitter. But for the purposes of this roundup, here are the top things I learned.
The Value of Compliance
What value does compliance bring? While there wasn’t overwhelming enthusiasm in support of the value of compliance, people were also not outrightly dismissive of its value. Instead, we found there to be a healthy level of cynicism amongst security professionals whereby there is recognition that compliance has its place - as long as it’s accompanied by some caveats.
Completely agree. Compliance should be part of a baseline. Baseline should be a step towards a higher goal, not the goal itself. Too many orgs seem to think compliance is the end of the road, not just part of the journey.
— Coyne-Op (@C0yn3_0p) July 19, 2018
A1: It can bring value when done in larger context of good information security controls. For many compliance people, picture day is once a year. Information security people want it to be #infosec picture day every day. That’s difference between security & compliance. #AlienChat
— Ben Rothke (@benrothke) July 19, 2018
It sets a minimum baseline. Maybe not helpful if you're meeting the same minimum year over year, which might foster complacency, but helpful if your sec program is new.#AlienChat
— Nick (@NickInfoSec) July 19, 2018
Compliance brings value, however that value is more closely related to enterprise risk than information security, per se. My approach is to develop a program based on the needs to address the security risk, but to ensure that the program also complies with any relevant regs.
— Rot26 (@rotate26chars) July 19, 2018
Some frameworks are mandatory, some are voluntary. I'd like to hear why a company choose a certain standard before judging. :)#AlienChat
— Marco Tietz (@marcotietz) July 19, 2018
A2: Standard like ISO and NIST provide a framework but a lot of effort is needed to fully implement them. Again, ID, evaluate and addressing risks is essential. Get help eating the elephant. #AlienChat #MSSP
— Aaron Lancaster (@aarondlancaster) July 19, 2018
Or as Adrian Sanabria summed it up:
A1: It depends.#AlienChat
— Adrian Sanabria (@sawaba) July 19, 2018
Stuart Coulson raised a good point about the value that compliance can bring as a result of the business that is won or lost by having the right compliance certifications.
A2) I wonder what % of business is won due to compliance, monetary value? I guess it's low? Therefore is it if value, probably not. #AlienChat
— SPCoulson (@SPCoulson) July 19, 2018
The business angle was one that I particularly liked, because it brought us to the next big point of the discussion.
The Security Poverty Line
The security poverty line is very real for many companies. There is usually not enough staff, or free time, or money available to make security a priority. These are the companies that will do the minimum to become compliant in order to win business. As a result, they are also more likely to be breached, and be heavily fined amounts that would be a struggle for them to pay.
But if you take a primary school who are already losing money in the year, no IT staff, all the free in the world won't help them. Get rid of a teacher or be secure. This is a real problem in so many areas e.g. Charities#AlienChat
— SPCoulson (@SPCoulson) July 19, 2018
Competent, experienced security staff is not cheap or easy to find, attract and hire. The tools are maybe 10% of the overall solution. Availability of free/OSS options helps, but there's still the other 90%.#AlienChat
— Adrian Sanabria (@sawaba) July 19, 2018
A4) for small companies yes, but they don't have IT staff to help them so they tend to be non compliant for ages.
— SPCoulson (@SPCoulson) July 19, 2018
For big companies, they pay the fines easily, most have a contingency put just in case or cyber insurance#AlienChat
I am so glad you said this. It's true. There are some big orgs that can afford fines, and can afford to do things right but don't, and walk away pretty much unscathed. Fines won't fix what's really wrong here. Punishment is not an incentive. #AlienChat
— 3ncr1pt3d (@3ncr1pt3d) July 19, 2018
On the other side of the poverty line, a major question is whether fines are an effective motivator to get companies to do the right thing. While they may be effective, I’m not sure they are necessarily the right motivators; after all, fines can be considered to be the F, in FUD.
A4) for small companies yes, but they don't have IT staff to help them so they tend to be non compliant for ages.
— SPCoulson (@SPCoulson) July 19, 2018
For big companies, they pay the fines easily, most have a contingency put just in case or cyber insurance#AlienChat
#AlienChat A4: Hard no. *points at recent mega breaches*. Most companies make deliberate decisions to "accept the risk" and "pay the fine" because they consider it "prohibitively expensive" to have bare minimum proper controls in place to be deemed compliant.
— SummerOfSYN (@da_667) July 19, 2018
A4) you really think Facebook getting a £500k fine really worried them?#AlienChat
— SPCoulson (@SPCoulson) July 19, 2018
A4. Yes. They looked up when you said fines. That's why it's called the almighty dollar. Or "hit them where it hurts". Money talks. OK. I'll stop now.#AlienChat
— 3ncr1pt3d (@3ncr1pt3d) July 19, 2018
In my experience, the fines only motivate AFTER an event. It's better than nothing, but I've seen too many people play 'dice' with compliance, figuring they are too small a target to get popped. "Management Accepts the Risks." #AlienChat
— Joseph Nyleen (@JoeKnowsCyber) July 19, 2018
One journalist tried to make a big deal out of Home Depot settling a suit for $27m in connection with their 2014 breach.
— Adrian Sanabria (@sawaba) July 19, 2018
I pointed out that, at $100bn+ in revenue, Home Depot's revenue is greater than the entire cybersecurity market's revenue. Context matters.#AlienChat
Personal Accountability
So, if fines are not the best motivator, then what is? Apparently, a level of personal accountability can go far with suggestions made to arrest executives when their actions impact people’s lives.
#AlienChat A5: Start arresting executives. When decision-makers are threatened with jailtime for ruining the lives of customers who placed their trust (or didn't have a chose /but/ to place their trust) in them, I'll bet you will notice a distinct lack of "we accept the risk."
— SummerOfSYN (@da_667) July 19, 2018
tell me they werent compliant.
— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) July 19, 2018
show me their people being walked out in handcuffs for defrauding essentially the world.
then maybe i might care about compliance.
Like @da_667 said, personal liability on the part of executives. SOX set that president. Obviously getting hacked shouldn't mean jailtime. Gross negligence, failure to disclose breach that affects customers/personnel, stuff like that should be in scope though.#AlienChat
— Nick (@NickInfoSec) July 19, 2018
Corporate brand protection was also brought up:
A5: I think a huge motivator for #business #infosec spend is #branding protection. A #breach is just bad optics and that speaks to decision makers. #AlienChat #whatsinaname
— Aaron Lancaster (@aarondlancaster) July 19, 2018
Cloud Compliance
Is the need for cloud compliance here? Ben seems to think it’s a vital issue that needs addressing, and I’m inclined to agree with him.
I think 'shared responsibility' is the key point here. Traditionally it was 'all on you're and now you need to clarify who does what with ext parties. Not always clear to folks. 'AWS is PCI compliant so let's just move our processing there'#AlienChat
— Marco Tietz (@marcotietz) July 19, 2018
A3: The needs for #cloud #compliance is here and will only continue to grow. Proper deployment and management is critical. #azure and #AWS and be great enablers for #business but we are still seeing a lot of mis-configured environments leading to a #breach. #AlienChat
— Aaron Lancaster (@aarondlancaster) July 19, 2018
#AlienChat A3: I hate to admit it, but yes, it most certainly will. The cloud will be here to say so long as people can be swindled into thinking about the short-term savings. Enforcable best practices need to be built around cloud services so at least minimal effort is applied.
— SummerOfSYN (@da_667) July 19, 2018
In Closing
I think compliance means well and its heart is in the right place. But by itself, it isn’t security - it’s something that can be factored into the overall risk assessment. After all, we’re all about balancing risk.
It’s worth scrolling through some of the discussion threads that cropped up during our Tweet Chat. Stay tuned for upcoming Tweet Chats with our special guests and let us know if you have suggestions for topics to address in a future #AlienChat.
Article Link: http://feeds.feedblitz.com/~/560503438/0/alienvault-blogs~The-Security-Compliance-Tweet-Chat-What-We-Learned