When it comes to managing cybersecurity risks, too many enterprises today remain focused on doing little more than making sure their baseline compliance and security controls are in place. They’ll check the boxes: Passwords more than 8 characters with two numbers and a special character? Check. Firewall? Check. VPN? Check. Antimalware? Check.
Don’t get me wrong, it’s vital to have good authentication practices and to make sure that the appropriate security controls and technologies are in place. What’s lacking is the focus to make sure each of these functions are done correctly or if more needs to be done for certain conditions. And those “certain conditions” would be informed by some form of threat intelligence.
If this sounds like your organization, there’s a good chance that the regulatory audit department is in charge of the security show. If cybersecurity risks are to be properly managed, that situation needs to be replaced with security and risk management programs that are independent of their regulatory compliance efforts.
What do I mean? For starters, security is about assuring that an enterprise’s information and systems are available, that their integrity remains intact, that they stay protected from snooping eyes and ears, and that data stay confidential. This should be the focus of security teams: putting cost-effective controls into place, based on an enterprise’s appetite for risk, to ensure that the confidentiality, integrity, and availability of data remain high.
Regulatory compliance and audit efforts have little to do with this. Their role is to make sure that controls are in place to meet the mandates required by external and internal compliance polices. While security overlaps with these functions – for instance, compliance and audit will review that mandated security-related controls (vulnerability assessments and patching, anti-virus, appropriate firewalls, etc.) are up and managed – compliance doesn’t speak to the totality of the organization’s risk posture and or how the changing threat landscape will affect an organization’s risk, whether that risk is rising, or going down.
Because regulatory mandates involve cybersecurity controls, there is always an overlap, and compliance is driving the budget and a big part of the security conversation in many of the companies I speak with.
For security teams, this is poison.
Compliance doesn’t equal security. And while compliance teams can help spot controls that are not in place or not adequate enough, they seldom deal with the costs of those controls or what new controls need to be put into place because of changing adversarial tactics. These compliance and audit departments don’t speak to the depth of the types of threats out there, what those threat actors may target within an organization, and what such an attack could cost the enterprise or its partners or customers. And they don’t generally have the technical depth to know how the deployment of new technologies, services, and applications can change the risk of an organization.
To succeed in security, organizations need to be able to identify attacks that are underway or possibly likely to occur. They need accurate, relevant, and timely information about the threats they face and the status of their security defenses and infrastructure as it relates to those attacks. This is all way out of the box for the typical audit department.
Security teams also should be looking for antiquated controls: have Payment Card Industry Data Security Standard (PCI DSS)-related transactions been outsourced to a payment provider? Those systems probably can now be secured to more real-world risks than PCI DSS checkboxes.
Another difference: security teams also will look for signs of a system breach. They’ll scour logs and intrusion detection system alerts for signs of intruders. And they’ll evaluate changing world circumstances with an eye on whether that will change their level of enterprise risk. If they are in an industry that is suddenly in the political hot seat, the risk of hacktivist motivated attacks increases. Again, these are areas to which audit and compliance pay little attention.
Finally, if your security team isn’t providing a threat intelligence capability, then the chances are that the security group is moving too heavily into the roles of audit and compliance.