Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That weâll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we donât comply, really believe those rituals make us safer. And yet, we check the box every flight because a government agency said we canât fly unless we do so...
Iâm starting to wonder if the obsession with checking boxes in cybersecurity might be akin to securing our tray tables before take-off. We do as weâre told, check all the boxes, pat ourselves on the back, and in the process, distract ourselves from our ultimate goal: stopping the bad actors and protecting our data.
I started to think about this somewhat disconcerting cybersecurity community reality when scanning the titles of some of the attendees at a recent regional cybersecurity conference. I was surprised by the frequency of titles that combined security with compliance. To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager â IT Security & Compliance (among others). To add to this: countless âauditorâ titles â roles designed specifically to assure fealty to various standards requirements.
Nearly all enterprise breaches originate in one of three ways, and all cybersecurity professionals know this:
- An unpatched vulnerability
- Credential theft
- Installation of malicious software (typically via phishing)
So, letâs try an experiment. Ask a CISO or experienced cybersecurity expert how they would defend their organization against these three breach types if:
1. They could completely ignore standards and compliance, and theyâd be given no credit for any level of compliance (and there would be no ramifications for non-compliance)
2. They could re-deploy every dollar of budget allotted to standards compliance and auditing any way they liked
3. Their single objective was to win the game (stop the bad actors, and minimize their organizationâs risk of a compromise)
How many would determine that the best use of their resources would be to attain or retain compliance with a cybersecurity standard? And how many would deploy those compliance and auditing resources to patch more vulnerabilities, invest in additional cybersecurity expertise, tools to identify and reduce their external threat footprint, and myriad other effective measures to genuinely reduce their organizationâs cyber risk?
Itâs not as if dedication to compliance is any more of a guarantee against a breach than any other technology, strategy or prayer. Here are a few examples of compliant companies that have suffered high profile breaches (thanks to ChatGPT for saving me the hours of research otherwise required to build this list):
- Equifax (PCI and NIST CSF)
- Target (PCI)
- Marriott (PCI)
- Anthem (HIPAA)
- Premera Blue Cross (HIPAA)
- CareFirst BCBS (HIPAA)
- SolarWinds (NIST CSF)
This is, of course, not an exhaustive list. Show me a large enterprise that was breached and Iâll show you a large enterprise adhering to multiple compliance standards.
Indeed, just this month, several US government agencies were victims of an attack exploiting a vulnerability in file transfer software (albeit a zero-day). Itâs fair to assume there are several regulations strictly adhered to by the agencies just breached.
So, why do we continue to be obsessed with cybersecurity compliance, standards, frameworks, etc.? The obvious reason is that organizations can be fined for non-compliance.
And yet, thereâs been little effort among cybersecurity experts to challenge regulatory agencies. Indeed, many enthusiastically embrace compliance and congratulate themselves and their teams for achieving it. And, of course, no one loves compliance standards more than vendors, just like every barber in the world would celebrate a new law requiring everyone to get a haircut weekly.
The less obvious reason for our communityâs love for compliance is that it covers behinds. âYes, we were breached, but we did everything we were supposed to do, so donât blame us.â Coaches in every sport will identify that as a loserâs attitude. Champions know thereâs no checkbox formula for winning, and thereâs no excuse for losing, especially âwe did everything we were supposed to and still lost.â Itâs clicheâ, but the best teams and athletes âjust know how to win.â
Am I suggesting we abandon frameworks and compliance? Not immediately, and not without serious debate and analysis. But there is a case to be made that the compliance-centric philosophy governing cybersecurity decision-making today simply isnât working, and we in cybersecurity are the living embodiment of (not) Einsteinâs definition of insanity: doing the same thing over and over and expecting a different result.
Cybersecurity spending continues to increase and yet breach incidents are increasing as well. It shouldnât be sacrilegious to propose that we consider changing our foundational philosophy from checking boxes on a compliance audit form to doing whatever makes sense to defend our organizations, and win.
CISO Desk Reference Guide Executive Primer: The Executiveâs Guide to Security Program
Security Awareness: Applying Practical Cybersecurity in Your World
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory