Reading Bill Brenner’s PCI Security a Devil, ‘Like No Child Left Behind’, I had the impression Brenner’s summary of Joshua Corman’s presentation would be: Joshua was %#!*$ crazy. In a nutshell:
“Organizations have made PCI DSS and compliance in general the basis of their information security policies,” he said. “They’re basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all.”
You have to read the whole article to fully grasp Corman’s nuances, and note that some of the inflammatory additions seem to be Bill’s, rather than direct quotes from Joshua. Still, while there are points I agree with, Corman seems to have connected the dots arbitrarily. Not only do I not see general security policies being based off compliance initiatives, I don’t buy the argument that compliance is at the expense of security. Is there overlap? Absolutely. But the recognized lack of security is motivated by completely different forces. In the presence of evidence that many organizations are doing the absolute minumum to comply with regulations, how can you suppose that they would voluntarily invest in security without compliance requirements? Why would companies take a risk-based approach to spending efficiently, when they really don’t want to spend at all?
To me, companies embody the approach of The Three Wise Monkeys: “See no evil. Hear no evil. Speak no evil.”
Regulations espouse the ideals of safety, security and efficacy, and companies want tasks performed cheaply, quickly, and easily. Regulation is supposed to alter the way companies do business, providing guidance on how to realize the ideal. Companies often handle compliance as just another task, and try to address it from within the same processes the compliance mandate is designed to reform. If companies could be trusted to come close to the ideals and intentions, we would not have auditors.
Part of Corman’s presentation seems to be a derivative of his 8 Dirty Secrets presentation (summarized), where part 6 discusses how “Compliance Threatens Security”. Do I think that security product vendors are “…offering products that do everything from offer PCI compliance out of the box to ultimate cure-alls for healthcare entities coping with the demands of HIPAA”? Absolutely. But this was the cheapest, fastest and easiest way to comply. Take Sarbanes-Oxley as an example: products like Database Activity Monitoring and Log Management are the only way to achieve some of the required controls over automated financial systems that process millions of transactions a day. The fact that these unique data collection and analysis capabilities came from a security vendor is incidental. The security investment was made to satisfy a compliance mandate, not for the sake of security. The fact that the tools provide security as well is a by-product for many vendors and customers, often considered unimportant or incidental.
If I was going to create my own Dirty Little Secret list, I would say most companies treat security as “Don’t Ask, Don’t Tell”. Security tools that are bought to fulfill compliance have a bad habit of illuminating threats companies really don’t want to know about. They want to pass their compliance audits and not worry about other problems problems discovered … those just lead to additional expenses. If you doubt my cynical perspective, look at how most firms react when told their corporate network is host to 5,000 bots that just commenced a DDOS attack on another company: they tend to threaten suit for invasion of privacy or libel. Another example we see is that a high percentage of companies have web application firewalls for PCI, but run them as monitors rather than proxies! They need to have WAF to comply with PCI, so they bought one, but no one mandateed they use it effectively. Security professionals really care about security, but the executive management cares precisely as much as legal and finance tells them to.
I think security is a really hard problem, and far too often our attempts at security are flawed. I just don’t see any evidence that risk management is subjugated to compliance.
Reader interactions
5 Replies to “Compliance vs. Security”
PCI is the Devil
Wow. Hard to know where to start here. There is a lot to like and appreciate about Corman’s positions. Security innovation has clearly suffered because organizations are feeding the compliance beast. Yes, there is some overlap – but it’s more being lucky than good when a compliance mandate actually improves security.
The reality is BOTH security and compliance do not add value to an organization. I’ve heard the “enabling” hogwash for years and still don’t believe it. That means organizations will spend the least amount possible to achieve a certain level of “risk” mitigation – whether it’s to address security threats or compliance mandates. That is not going to change.
What Josh is really doing is challenging all of us to break out of this death spiral, where we are beholden to the compliance gods and that means we cannot actually protect much of anything. Compliance is and will remain years behind the real threats.
How we fill that gap is what the next 5 years of security is all about. Josh hasn’t pulled the curtain back on his ideas about that (yet), but that’s really the issue.
At least from where I sit…
Mike.
http://blog.securityincite.com
http://blog.eiqnetworks.com
I kind of agree with Corman, or perhaps read something different into it. Unfortunately from the “vendor” side, PCI at times can seem to stifle security innovation and what seems like a better solution for both compliance and security. There is so much money ( for now ) luring good idea’s into sub optimal solutions around a standard that its hard not to get caught up in the fervor. For now i suppose that Compliance initiatives are helping educate companies about security-as-a-by-product but i kinda look forward to 2014 ( random date ) when things have moved on to a whole new set of challenges.
I think what Corman is getting at is that creating regulatory threats is distracting organizations from focusing on and managing risk from REAL threats. Creating something like PCI-DSS has the (possibly) unintended consequence of sending the message, “If you don’t think hackers are a threat, fine, WE’LL be the threat, and we’ll fine your ass.”
Managing to the wrong threat means you’re managing to the wrong risks, and that’s how security can suffer.
@shrdlu – And I think that left to their own devices, companies would treat security and compliance with equal contempt. It’s an issue of perspective. Compliance is a distraction. I have no argument with that statement. But recognize that business leaders view compliance as an economic impediment, and security professionals look at compliance as an impediment to optimal security. To imply the removal of the compliance distraction would cause companies to embrace risk management and go after REAL threats is, in my opinion, folly. The perspective is one of a security practitioner, not a business leader. Until companies have had to embrace the economic necessity of security, they are not looking to be secure, and will not view the advantage of a risk based model over generic compliance guidelines.
@erik – Do I do code review, hire pen testers or buy a WAF? The vendors are telling me _their solution_ is the best, are will provide better security and cost less in the long run. Which do I choose?
Where I think compliance hurts us is specifying adoption of a technology as if security was a ‘one-size-fits-all’ problem. Any one of these technologies is the right choice, depending upon the situation. Another example is with PCI: even though it has accommodations for risk management in the use of compensating controls, the effort to document, explain and defend these optional methods becomes quite a bit of work.Innovation takes a hit when companies don’t push the vendors to do more and do it better. I have been on the vendor side for a very, very long time. Believe me, if I _know_ companies will buy a certain products because it solves a business problem, I’m going to build it. Innovation has a way of popping up when there is money to be made.
-Adrian